Updated Blackmoon banking Trojan stays focused on South Korean banking customers

January 19, 2016 Proofpoint Staff

First analyzed in early 2014 [1] [2], the Blackmoon banking Trojan targets a user’s online banking credentials using a type of pharming that involves modifying or replacing the local Hosts file with one that redirects online banking domain lookups to an IP address controlled by the attacker. Blackmoon has been observed targeting primarily customers of South Korean online banking sites and services, and is usually distributed via drive-by download.

Like other banking Trojans targeting online banking users in other countries, Blackmoon continues to evolve both their distribution and delivery technique. Proofpoint threat researchers recently observed a sample of the Blackmoon Korean banking Trojan (7e67216628d9a171be0ce18c51fda8ce) retrieving encoded configuration information from the “lofter[.]com” blogging platform.

Figure 1: Encoded configuration block found on the lofter[.]com blogging platform

Executable Process

The malware arrives on the system as an executable. (The original delivery method of this sample is unknown, but previous analyses have found it spreading via download from an infected site.)

Figure 2: Information from PEStudio for 7e67216628d9a171be0ce18c51fda8ce

Once executed, the dropper extracts a DLL from itself and launches the DLL via rundll32.exe, calling the dropper filename as a parameter that deletes the original dropper from disk. The DLL and the folder it resides in are named using 6 random alphabetical characters.

Figure 3: BlackMoon DLL (84E2D574085C77F47E801F5326E83D73) launching via rundll32.exe

Figure 4: Blackmoon strings present in 84E2D574085C77F47E801F5326E83D73

The malware sets persistence by running the command

Figure 5: Blackmoon DLL persistence setting in registry key

The malware calls out to a hardcoded website address to retrieve the encoded configuration block. It parses the page looking for “###” and extracts the data until a subsequent “###”: this is the encoded configuration block (Fig. 6).

Figure 6: The encoded Blackmoon configuration block.

The malware makes use of JavaScript to handle the encoding and decoding of strings. The decoding can be described as case-swapped base64 with a substituted padding character of ‘@‘. (A python script for decoding is included at end of this post.).

Figure 7: Calling decoding routine in malicious JavaScript

Figure 8: Decoded Configuration Block

The malware also utilizes this encoding to register the infected host.

Figure 9: Blackmoon infected client check-in

Figure 10: Decoded SID parameter for infected client

The malware clears the DNS resolver cache by running the command ipconfig.exe /flushdns, and then sets the values found in the [Dns] section of the config block to the infected client’s DNS server settings. In this case it is 127.0.0.1 with the Google primary public DNS server of 8.8.8.8 as a backup.

With the primary DNS set to the loopback address, the malware rewrites the infected client’s Hosts file with search engine and banking sites that will resolve to the attacker's server. The list of domains to redirect is hardcoded in the malware. The value in the [Host] field of the configuration block replaces “IP#“ when it is written to the Hosts file.

Figure 11: The Modified HOSTS file before (right) and after (left) the IP from the Configuration Block is replaced.

The malware also searches for a folder “\NPKI\” containing .cer or .der files on the infected client. If found, the malware extracts a command line RAR executable from itself and saves it to “\Documents and Settings\Administrator\Local Settings\Temp” as “zip.tmp”. Then the malware archives the NPKI folder with the following command:

zip.tmp a -hp@#@2016999# "D:\NPKI.z" "D:\NPKI"

The malware will then send the password protected archive to the value of the [Upload] field in the configuration block via HTTP POST. It is likely that the content of the NPKI folder are used to impersonate an end-user in order to access their online banking information and accounts. [3] [4]

Figure 12: The Blackmoon DLL sending NPKI RAR archive

The configuration block also includes a [Time] value that indicates how often the malware checks for a new configuration block.

Once the infected client’s Hosts file has been updated with the redirected domains, a user visiting any of the search engine sites with the infected client will often see the following message:

Figure 13: Message displayed when user of infected client visits a domain listed in modified Hosts file

This message roughly translates to:

Financial Supervisory Service is conducting an authentication process did you install the security certificate for this PC?

※ Certificate must verify the security and privacy of information leakage incidents in the auction using Internet banking Guests prevent financial fraud, please see below.

※ You cannot access the Internet Banking more safely receive the security certification process.

※ Please click the bank name that you use to proceed to the secure authentication procedures.

A user who clicks on one of these online banking site names in order to login would be presented with the following sequence pages:

Figure 14: Fake online banking web site using stolen branding

While this page appears legitimate, clicking on any element on the page brings up an alert.

Figure 15: Fraudulent security notification to end user

This roughly translates to:

Safer internet 03.24.2014 (Will) for banking using internet banking, smart Banking, Phone Banking To The use of all services (private. Company) can then use additional authentication.

Clicking the OK button brings up a brief loading message:

Figure 16: Loading message displayed when user accepts warning

Which is then followed by a two-stage credential theft phish.

Figure 17: First page of credential theft phishing, with stolen branding

Figure 18: Second page of credential theft phishing, with stolen branding

The phishing pages include user input validation capabilities that surpass those typically found in phishing pages, such as validating that the user has entered their name using the proper character set, as well as numerous checks to ensure that a valid “Social Security number” (officially called a Resident Registration Number in South Korea) has been entered.

Figure 19: Phishing page form input validation for character set

Figure 20: Phishing page form input validation for South Korean equivalent of Social Security Number

This infection chain is consistent with examples documented in early 2014, with two noteworthy updates to distribution and delivery technique:

Distribution via the lofter[.]com blogging platform, with frequent changes to the backend web servers.
Addition of encoding for C2 information in payload download.

These changes are consistent with updates Proofpoint researchers have recently observed in other malware, from highly targeted malware such as the Operation Arid Viper payload [5] to broad-based campaigns such as those distributing Dridex [6]. Organizations can expect to see continued variation in obfuscation techniques and distribution as attackers attempt to stay ahead of evolving defenses.

References

[1] http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-_BlackMoon_Ver_1.0_External_ENG.pdf

[2] https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/

[3] http://www.hikorea.go.kr/pt/PublicCertificate_en.pt

[4] http://grrrltraveler.com/countries/asia/korea/expat-life/online-banking-korea/

[5] http://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View

[6] http://www.proofpoint.com/us/threat-insight/post/Not-Yet-Dead

Blackmoon DLLs

Name: yQkUz.dll

MD5: 84e2d574085c77f47e801f5326e83d73

SHA256: ad062b7cba8f149a585018938b45f65698dde3a049a6f50fd4e355e68b562fc3

Compile Time: 2016-01-07 18:08:45

Name: pkNQy.dll

MD5: 9be8a5edc5f0a57d09b733c18a3740c7

SHA256: 4e94d38c1939ca7c6928da062b01e381e7a925ae4c66945f598f090c8d79a6a0

Compile Time: 2016-01-10 05:09:38

Name: OUikm.dll

MD5: 255fd48dd681058d9cb84e4c6dbd92f6

SHA256: 8fbacfa948ba95cbe7e6f44a7974f621259a0c23c43a4a4c3d8e3e163604388a

Compile Time: 2016-01-09 09:43:13

Name: uyonu.dll

MD5: 949482b0aa3ecc019d63d10a46539302

SHA256: df821948e3362a5accdefc444b4bdf8e370f77af65fabbbd371cd95d1c181347

Compile Time: 2016-01-07 18:08:45

Blackmoon EXE Droppers

Name: sa.exe (Analyzed)

MD5: 7e67216628d9a171be0ce18c51fda8ce

SHA256: f0dd2eeaaeb85ab98f0d2d04151b7a56fa3d0c427e9356049cbc4f41bcfabf72

Compile Time: 2016-01-07 18:25:05

Name: smss.exe

MD5: 86a16809fe21cc389740866dfc73abe3

SHA256: 6f250727e69716776f3bb594715a7e10bea65e35556f1dc3a922b63f40611b39