FortiGuard Labs Threat Research

A Peek into BlackMoon’s Sustained Attacks against South Korea

By Roland Dela Paz | July 20, 2016

A few months ago, we talked about a malicious campaign that targets South Korean users in the form of malware known as BlackMoon. BlackMoon is a banking Trojan that installs a proxy auto-config file (PAC) on an infected system in order to redirect users’ browsers to phishing pages related to South Korean banks.

Back then, we noticed an open directory in the C&C that revealed over 100,000 victims. Given this impact, we decided to dig further in order to understand better the scale of this attack. Mainly, we wanted to know if the statistics displayed by the C2 were real. If so, then we are looking at a not well talked about but highly active attack against South Korean users.

This post shares our findings from ten weeks of monitoring this threat.


We monitored BlackMoon malware samples, extracted C2s and harvested C2 statistics. The C2 statistics contained useful intelligence, including infection statistics and victim information such as IP addresses, MAC addresses, operating systems, geolocations, and infection timestamps. It is important to note that no victim banking information was available in the C2 statistics, or have been collected in this research.

Below is an example of live C2 statistics translated from Chinese to English:

Description: C:\Users\rolandd\Desktop\blackmoon\blackmoon_followup\2.1.png

C2 statistics only display 30 victim logs at a time, so the logs had to be periodically downloaded in order to harvest as much victim intelligence as possible. Furthermore, there are typically more than one BlackMoon C2s running at the same time and displaying different statistics and logs had to be downloaded simultaneously from multiple C2s.

The following statistics cover intelligence collected from May 10, 2016 to July 19, 2016.

Infection Profile

Reportedly distributed through adware and exploit kits, we can see below that the BlackMoon perpetrators are consistently able to infect users, averaging 443 infections per day:

Figure 1. BlackMoon daily infection from May 10, 2016 to July 19, 2016 based on statistics collected from C2s

It is important to consider that since we are only able to collect 30 logs at a time, we are seeing only a fragment of the total victim logs. Therefore, the results presented here are best interpreted as “at least” counts.

The following chart shows the top 15 most affected countries using victim IP geo-location:

Figure 2. Top 15 most affected countries from May 10, 2016 to July 19, 2016

As can be seen, Korea has the highest infection count, followed by the United States and Canada, which have large Korean populations. So it is possible that the victims seen from other countries represent Koreans living overseas. Minor infection counts may also be from sandboxes or infected machines used by security researchers.

Command and Control

BlackMoon perpetrators utilize web hosting companies to host their C2 servers. A typical BlackMoon C2 contains the following files:

  • /index.php – contains the string “Hello World”
  • /mac.php – unknown
  • /test.php – unknown
  • /ca.php – C2 gate
  • /co{redacted}.php – contains C2 statistics

In some cases, the C2 hosts  “popup.php” which contains a list of targeted South Korean banks. How this PHP script is used in the campaign is unknown at the moment:

Description: C:\Users\rolandd\Desktop\blackmoon\blackmoon_followup\5.1.png

Figure 3. PHP script containing target Korean banks

We also learned that an average of four new BlackMoon C2 IPs are created per day. The following chart shows the distribution of C2 locations of BlackMoon:

Figure 4. Location of BlackMoon C2s


At the time of this writing, the BlackMoon perpetrators have abused a total of 12 web hosting companies from the US, 11 from China, and four in Hong Kong.


In total, we managed to collect the following from our monitoring:

  • 2,705 BlackMoon samples
  • 341 C2 IPs
  • 26 web hosting companies abused to host C2s
  • 23,013 victim logs
  • 18,969 unique victim IPs
  • 20,948 unique victim MAC addresses

While we were unable to verify all 100K+ victims initially displayed by the BlackMoon C2, the massive amount of unique victim IP and MAC addresses collected during our research is a strong indication that BlackMoon has able to successfully infect at least tens of thousands of users. 

Furthermore, the daily appearance of new BlackMoon samples and C2s demonstrates how active the BlackMoon threat is, and that more attention needs to be drawn to this sustained attack against South Korean users.

Fortinet detects BlackMoon binaries as W32/Bankoren variants, and blocks its network communication via the Application Control signature Blackmoon.Botnet.

-= FortiGuard Lion Team =-


BlackMoon C2s:

BlackMoon SHA-256 hashes: