Some users might have fostered hopes that BlackMoon trojan has tied down after its rampage in 2014. The case of recent banking data theft from South Korean residents suggests that the cyber threat has returned more powerful than before. More than 160 000 South Korean users were infected with a virus which stole their banking information. Though South Korea received the main blow, other countries also reported of data theft. 110,130 users from different countries suffered from this menacing trojan.
Originally, the trojan was launched using the disguise of a dll file. It operates via rundll32.exe executable and gets access to the personal user’s information which often included login data of the respective banking account. Therefore, it did not take long for crooks to launch a massive worldwide cyber campaign. The current version of BlackMoon trojan replaces the local host file with the malicious one. This results in redirecting the user to a specific server monitored by the crooks. IT professionals have found that the malicious script was embedded in a lofter(com) blogging platform.
Within the period from may 2006 to July 2016, the trojan managed to attack over 62,000 new victims, while 99% of them being the residents of South Korea. Yet it is unknown why this particular country has attracted hackers’ attention. Recently, the entire Asia region suffered more cyber attacks than other regions. Banks in Indonesia and South Korea were assaulted by DDoS (distributed-denial-of-service) attacks. Moreover, the cyber campaign of BlackMoon malware, alternatively known as W32/Banbra, might be just a small part of the bigger project. Some IT professionals suspect that Chinese hackers might be behind this cyber terror attack. Fortinet specialists, who obtained access to one of the hackers’ servers C&C, discovered that it leads to other servers, eleven of them hosted in China and four in Hong Kong. Moreover, server files and source code comments were written in Chinese.
While IT experts are still battling this virus, users are encouraged to remain especially vigilant while performing banking operations. If you notice that you are redirected to an additional domain contrary to the previous cases, or you are asked to enter more unique verification codes than usual, cancel the operation. Lastly, upgrading your security applications proves to be a useful precaution as well.