A few months ago, we talked about a malicious campaign that targets South Korean users in the form of malware known as BlackMoon. BlackMoon is a banking Trojan that installs a proxy auto-config file (PAC) on an infected system in order to redirect users’ browsers to phishing pages related to South Korean banks.
Back then, we noticed an open directory in the C&C that revealed over 100,000 victims. Given this impact, we decided to dig further in order to understand better the scale of this attack. Mainly, we wanted to know if the statistics displayed by the C2 were real. If so, then we are looking at a not well talked about but highly active attack against South Korean users.
This post shares our findings from ten weeks of monitoring this threat.
We monitored BlackMoon malware samples, extracted C2s and harvested C2 statistics. The C2 statistics contained useful intelligence, including infection statistics and victim information such as IP addresses, MAC addresses, operating systems, geolocations, and infection timestamps. It is important to note that no victim banking information was available in the C2 statistics, or have been collected in this research.
Below is an example of live C2 statistics translated from Chinese to English:
C2 statistics only display 30 victim logs at a time, so the logs had to be periodically downloaded in order to harvest as much victim intelligence as possible. Furthermore, there are typically more than one BlackMoon C2s running at the same time and displaying different statistics and logs had to be downloaded simultaneously from multiple C2s.
The following statistics cover intelligence collected from May 10, 2016 to July 19, 2016.
Figure 1. BlackMoon daily infection from May 10, 2016 to July 19, 2016 based on statistics collected from C2s
It is important to consider that since we are only able to collect 30 logs at a time, we are seeing only a fragment of the total victim logs. Therefore, the results presented here are best interpreted as “at least” counts.
The following chart shows the top 15 most affected countries using victim IP geo-location:
Figure 2. Top 15 most affected countries from May 10, 2016 to July 19, 2016
As can be seen, Korea has the highest infection count, followed by the United States and Canada, which have large Korean populations. So it is possible that the victims seen from other countries represent Koreans living overseas. Minor infection counts may also be from sandboxes or infected machines used by security researchers.
BlackMoon perpetrators utilize web hosting companies to host their C2 servers. A typical BlackMoon C2 contains the following files:
In some cases, the C2 hosts “popup.php” which contains a list of targeted South Korean banks. How this PHP script is used in the campaign is unknown at the moment:
Figure 3. PHP script containing target Korean banks
We also learned that an average of four new BlackMoon C2 IPs are created per day. The following chart shows the distribution of C2 locations of BlackMoon:
Figure 4. Location of BlackMoon C2s
At the time of this writing, the BlackMoon perpetrators have abused a total of 12 web hosting companies from the US, 11 from China, and four in Hong Kong.
In total, we managed to collect the following from our monitoring:
While we were unable to verify all 100K+ victims initially displayed by the BlackMoon C2, the massive amount of unique victim IP and MAC addresses collected during our research is a strong indication that BlackMoon has able to successfully infect at least tens of thousands of users.
Furthermore, the daily appearance of new BlackMoon samples and C2s demonstrates how active the BlackMoon threat is, and that more attention needs to be drawn to this sustained attack against South Korean users.
Fortinet detects BlackMoon binaries as W32/Bankoren variants, and blocks its network communication via the Application Control signature Blackmoon.Botnet.
-= FortiGuard Lion Team =-
BlackMoon SHA-256 hashes: