July 22, 2016
Over 100,000 South Koreans had their banking credentials stolen by crooks who leveraged the BlackMoon banking trojan, also detected as W32/Banbra, Fortinet researchers reveal.
The security vendor initially identified the campaign in April, when it also managed to discover an open-access directory belonging to one of the BlackMoon C&C servers.
Inside, security researchers found logs and data that revealed details about infected victims. The numbers showed 110,130 victims worldwide and 108,850 in South Korea. Bear in mind that BlackMoon uses different C&C servers, so the total numbers are probably higher.
Since then, the company has been keeping an eye on the C&C server and gathering more data about the crooks’ mode of operation.
Fortinet says that, between May 10, 2016, and July 19, 2016, the crooks made an additional 62,659 new victims, among whom 61,255 are from South Korea.
A closer look at the files found on the C&C server shows that the criminal group behind the campaign uses BlackMoon configuration files that target 61 South Korean financial institutions.
BlackMoon, a banking trojan first discovered in 2014, uses proxy auto-config files (PAC) to hijack the user’s Internet traffic and sniff for URLs it contains in its configuration file. When this happens, the user is redirected to a phishing page instead of the real banking portal, where the crook harvests their banking credentials.