Cyber outlaws used the BlackMoon banking Trojan, also known as W32/Banbra, to steal the banking credentials of more than 100,000 South Koreans, Fortinet proclaimed.
The problem was first detected by the security company back in April, when they discovered that one of the BlackMoon C&C servers had an open-access directory. Despite the public disclosure, the crooks did not suspend the operation and Fortinet has been constantly monitoring the C&C server collecting information and data.
When investigating the open directory, the researchers came across detailed information about the infected users. Statistics show that the number of victims worldwide is over 200,000, roughly 50% of which (108,850) are in South Korea. Not to forget the fact that the cybercriminals are hardly using only one C&C server, so the numbers are probably much higher.
Fortinet reveals that only in the course of the last two month, the number of targeted people with BlackMoon trojan have risen by 62,659.
The information gathered from the C&C server shows that the Trojan`s developers use BlackMoon configuration files to target 61 South Korean financial institutions. Researchers were also led to believe that a Chinese cyber-gang was behind this operation as the files and source code comments were in Chinese.
The BlackMoon banking Trojan was spotted for the first time two years ago. With the help of proxy auto-config files (PAC) it snatches the user’s Internet traffic looking for URLs in its configuration file. Then the crooks steal the user banking credentials from the phishing web page the victim had been redirected to.
During the time the unprotected C&C server was being monitored, Fortinet states it came across over 2,000 different BlackMoon samples, approximately 19,000 unique victim IPs and more that 20,000 unique victim MAC addresses. They were all connected to 341 other C&C servers with different hosts (US and Chinese companies).
“While we were unable to verify all 100K+ victims initially displayed by the BlackMoon C2, the massive amount of unique victim IP and MAC addresses collected during our research is a strong indication that BlackMoon has able to successfully infect at least tens of thousands of users.” Fortinet researcher explains.
“Furthermore, the daily appearance of new BlackMoon samples and C2s demonstrates how active the BlackMoon threat is, and that more attention needs to be drawn to this sustained attack against South Korean users.” the company adds.