This post is also available in: 日本語 (Japanese)
Online banking services have been a prime target of cyber criminals for many years and attacks continue to grow. Targeting online banking users and stealing their credentials has yielded huge profits for the criminals behind these campaigns. Unit 42 has been tracking "KRBanker" AKA 'Blackmoon', since late last year. This campaign specifically targets banks of the Republic of Korea. On April 23, researchers at Fortinet published a blog describing the functionalities of the recent 'Blackmoon' campaign. Our objective in this blog is to share additional details on the distribution of the KRBanker or Blackmoon malware campaign and indicators of KRBanker samples.
Early variants of this campaign started surfacing in late September 2015. Though the number of KRBanker infection attempts was relatively low in 2015, we have noticed a gradual increase in the number of sessions since the start of 2016, and identified close to 2,000 unique samples of KRBanker and 200+ pharming server addresses in the last 6 months.
Figure 1 KRBanker download sessions on Autofocus
Our analysis shows that KRBanker has been distributed through web exploit kits (EK) and a malicious Adware campaign. The exploit kit used for installing KRBanker is known as KaiXin and the Adware which distributes it is called NEWSPOT.
Another distribution channel is a malicious Adware program, called NEWSPOT. According to the marketing document of the product, NEWSPOT guarantees 300% revenue growth for online shopping sites . NEWSPOT is a basic adware program that displays advertisements in browsers, but since at least November 2015 has started installing malware.When visiting some Korean websites, a user may notice a pop-up of a browser add-on requesting installation for NEWSPOT.
Figure 2 Installing NEWSPOT tool
If installed, the adware is executed on the computer and starts getting configuration from the following URL:
www.newspot[.]kr/config.php?sUID=[web site name]
It downloads a file from URL described in the <update> section within the configuration data returned by the server.
Figure 3 Configuration file contains download link to malware
This might have originally been used to update the NEWSPOT software, but we have confirmed that Banking Trojans like KRBanker and Venik has been installed through this update channel. Figure 4 shows the URLs:
Figure 4 Downloading Banking Trojans from NEWSPOT update channel
KRBanker uses Process Hollowing to execute its main code in a clean (non-suspicious) executable. The process is as follows:
- KRBanker executes a clean PE file in System directory.
- Windows loads the PE file into memory.
- KRBanker overwrites the whole clean process with its own (malicious) main module.
- Overwritten process starts malicious activity.
Figure 5 Execution Steps
Figure 6 Execution Steps (cont.)
After a successful execution the Windows Firewall alerts the user on the process attempting to access the Internet. Many users may allow this activity because the process originally involved a clean Microsoft file.
Figure 7 Windows Firewall Alert
Banking trojans like Dridex or Vawtrak mainly employ Man-in-the-browser(MitB) techniques to steal credentials from targeted victims. However, KRBanker uses a different technique known as “pharming.” This technique involves redirecting traffic to a forged website when a user attempts to access one of the banking sites being targeted by the cyber criminals. The fake server masquerades the original site and urges visitors to submit their information and credentials.
The IP address of the fraudulent server is not hard-coded in the malware. KRBanker obtains the server address by accessing Chinese SNS, Qzone through a Web API. The API provides basic user information by sending QQ number to the following URL.
users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=[QQ ID Number]
The server then responds with the QQ ID Number, link to picture, nick name and some other information from SNS profile identified by the QQ ID Number. The author of the trojan put the Pharming server address in the "nickname" field.
Following is an example response that contains the IP address, 23.107.204[.]38 which is then extracted by KRBanker for Pharming.
Figure 8 Receiving IP address for Pharming from QZone
Next, KRBanker gets the MAC Address using an embedded VBScript and code page by executing GetOEMCP() API on the compromised system. It then registers the compromised system with the C2 server by sending the following HTTP GET request:
http://[IP address]/ca.php?m=[encoded MAC Address]&h=[code page]
To configure this, the Trojan starts a local proxy server and creates the following registry entry.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL = http://127.0.0.1:[random]/[random]
Figure 11 Redirecting traffic by Proxy Auto-Config
Current, KRBanker is targeting a large list of Korean financial institutions using this Pharming attack.
When a compromised user visits one of the targeted websites, the user will see a page like the one shown in Figure 12 below. It appears to look like a legitimate webpage with a valid URL displayed on the address bar of the browser. However, this is a fake website for stealing the credentials and account information of the victims.
Figure 12 Fake Authorized Certification Center for renewal
KRBanker is also capable of taking the following actions:
- Stealing certification from NPKI directory in order to access online bankingaccounts
- Terminating Ahnlab’s V3 security software
Profit is the primary motivator for attackers who use banking Trojans. The adversary behind KRBanker has been developing new distribution channels, evolving the pharming techniques multiple times, and releasing new variants on a daily basis to maximize the revenue from victims.
As described in this article, the threat is distributed through Exploit Kits that exploit old vulnerabilities and Adware that needs to be manually installed. It is essential to understand the infection vectors of such campaigns to minimize the impact. Palo Alto Networks Autofocus users can track this threat using the 'KRBanker' Autofocus tag.
The indicators on KRBanker can be found on Unit 42's github page below