Categories: NewsSecurity

Blackmoon Banking Trojan Uses Three-tiered Malware Delivery Technique

Banking Trojans have often been a favorite tool among criminals looking for financial gain. Blackmoon is one of the most recent banking Trojans making the rounds, yet it caused quite a lot of confusion. Up until a few days ago, security experts were unsure how the malware spreads itself. It appears that the mystery has been finally uncovered, although that doesn’t mean Blackmoon becomes less of a threat.

Blackmoon Banking Trojan is A Big Problem

Dealing with new types of malware is annoying enough, but not knowing how it is distributed is one of the worst possible scenarios. This was the case for the Blackmoon banking Trojan

, albeit security researchers finally uncovered how the malware is distributed. It appears a new framework is being used to infect victims all over the world.

Blackmoon, also known as KRBanker, is designed to steal user credentials for online banking portals. Interestingly enough, this malware has been around since 2014 and has undergone several iterations and improvements over the past few years. The latest update comes in the of using this new framework to infect new victims. It is worrisome to learn such a banking Trojan can be around for nearly three years without being shut down, though.

This new framework to infect potential victims uses a three-tiered approach. It is something security researchers have not come across before, which is a very troublesome development. Moreover, it goes to show the Blackmoon developers have put a lot of thought into this new approach, rather than rehashing something a different developer came up with.

Related Post

Three separate downloader pieces work together to determine the next potential victim for Blackmoon. Once the Trojan is installed, it will start looking for login credentials to popular financial services. This includes the likes of Samsung Pay, as well, which means mobile payment solutions have now become a prominent target for criminals. Other – mainly South Korean – financial solutions are targeted as well by this banking Trojan.

The first part of the malware downloader is sent through phishing campaigns or exploit kits. In this file is a hard-coded URL requesting additional bytecode to be downloaded. It is unclear where this code is stored, as the developers obfuscate this location. Once the bytecode is downloaded and executed, it will look for the next part to download. A sequential series of events to install a banking Trojan is quite the novelty and may prove very difficult to shut down.

It is also interesting to note Blackmoon will determine whether or not the infected device runs in the Korean language. If that is not the case, the Blackmoon banking Trojan will go dormant. An interesting turn of events, to say the least. For now, the goal is to try and break any obfuscation efforts made by his three downloaded files. That will prove to be quite challenging, though. Rest assured Blackmoon will not go away anytime soon.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

JP Buntinx

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Share
Published by
JP Buntinx

Recent Posts

Retail Traders Panic Sell During ‘Fake Dip’; Whales Hold Tight to SOL, DTX, and SHIB for a Millionaire-Maker Bull Run

Solana (SOL): A Strong Ecosystem Despite Volatility Solana (SOL) has been all over the place…

10 mins ago

Llama 3.2 Predicts Price For Dogecoin: $2 Peak By 2025 And $5 Rally For DTX Exchange This Winter

Cryptocurrency trends are keen on the forecast that was recently released by Llama 3.2 model…

50 mins ago

Crypto Whale Sparks 8x Surge In $OPK Price with Massive Buy-in

A mysterious crypto whale, who previously invested 9,600 SOL into tokens $Pnut and $FRED, has…

3 hours ago

Early ENS Investor Transfers $2.47M To Binance Amid Upcoming Token Unlocks

An early investor linked to the $ENS token recently transferred 154,000 ENS tokens, valued at…

3 hours ago

Wintermute’s Memecoin Strategy: BABYDOGE Ranks Among Top 3 Holdings

In a surprising turn, $BABYDOGE has climbed to the top three in Wintermute’s memecoin holdings…

3 hours ago

$Pnut’s Meteoric Rise: How A Tragic Squirrel Inspired A Memecoin Sensation

The $Pnut memecoin recently soared past a $120 million market cap, creating unexpected wealth for…

3 hours ago