Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

BlackMoon

63
Global rank
24 infographic chevron month
Month rank
19 infographic chevron week
Week rank
0
IOCs

BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.

Trojan
Type
Unknown
Origin
1 February, 2014
First seen
4 February, 2025
Last seen
Also known as
KrBanker

How to analyze BlackMoon with ANY.RUN

Type
Unknown
Origin
1 February, 2014
First seen
4 February, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Release Notes: System Updates, New YARA and S...
watchers 216
comments 0
post image
3 Major Cyber Attacks in January 2025
watchers 1415
comments 0
post image
Interlock Ransomware: Analysis of Attacks on...
watchers 1198
comments 0

What is BlackMoon malware

BlackMoon (KRBanker) is one of the most sophisticated banking trojans, exploiting MitB attacks and web injections to steal financial data. Its stealthy evasion techniques, 2FA bypasses, and browser manipulation make it highly dangerous. Initially used in attacks targeting South Korea, it has since spread all over the world and threatens individuals and organizations in any region.

At the dawn of its “career" in 2015-2016, it employed a “pharming” technique to steal banking credentials. It redirected users to a fake website that imitated one of the banking sites and invited visitors to submit their payment data. The data is sent to C2 servers controlled by attackers, 2FA is bypassed by injecting fake OTP fields or session hijacking.

Beside luring information out of users, the malware generates fake alerts on banking websites prompting users to download a malicious security tool. BlackMoon employs a number of anti-detection and persistence mechanics. It injects itself into legitimate system processes, modifies Windows Registry, schedules tasks and startup entries. It also changes signatures to evade static detection, uses code obfuscation and targets specific banking URLs to minimize noise in network logs.

Blackmoon is detectable with threat intelligence tools by a number of indicators: associated domains, IPs, hashes, as well as known behavioral patterns. Network monitoring tools are triggered by outbound traffic to suspicious C2 servers, abnormal DNS queries, HTTP requests with suspicious headers related to web injections.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of BlackMoon malware

BlackMoon has some unique and some typical for malware of this type features that make it effective and hard to oppose.

  • Its infiltration methods of choice are phishing emails, social engineering, and malvertising as ways of delivering malicious attachments or links to fake banking login pages.
  • It also is distributed via malicious software disguised as legitimate banking or security tools.
  • It establishes itself in the system by modifying registry keys and injecting itself into legitimate system processes like explorer.exe.
  • It infiltrates into popular browsers and modifies banking login pages.
  • Fake login forms send users’ credentials to attackers’ C2 servers.
  • The information BlackMoon is aimed to steal includes online banking credentials (usernames, passwords), credit card details, personal identification information. It may gather them by logging keystrokes, capturing screenshots, and intercepting data entered into web forms.
  • KRBanker can provide attackers with remote access to the infected system to execute commands, upload additional malware, or exfiltrate data.
  • The measures of protection against BlackMoon must include proactive hunting for the malware indicators within the network using threat intelligence and forensic tools. Patch management, endpoint protection, multi-factor authentication, network segmentation must be employed.

The Execution process of BlackMoon

Within ANY.RUN's Interactive Sandbox, we can observe the malware's entire execution chain in a safe virtual environment.

BlackMoon malware in the ANY.RUN Sandbox KRBanker detonated in ANY.RUN’s Interactive Sandbox

BlackMoon malware employs a multi-stage execution chain specifically designed for financial theft, frequently targeting South Korean banking institutions. The infection process typically begins with a dropper file delivered through phishing campaigns or exploit kits that leverage browser vulnerabilities.

Once executed, this dropper retrieves additional components necessary for the BlackMoon Trojan’s full functionality. The malware’s operation is divided into three distinct stages. In the first stage, the Mini Downloader fetches a second component, which in turn initiates the next phase. The second stage uses the KRDownloader to complete the installation.

After successfully downloading its payload, KRDownloader executes it and then self-deletes to evade detection. The payload commonly includes credential theft features, often deploying man-in-the-browser techniques to intercept user credentials during interactions with banking websites. Once installed, BlackMoon persists on the system by modifying registry keys and, in some cases, altering the local Hosts file. These changes redirect users attempting to access legitimate banking sites to attacker-controlled phishing pages.

BlackMoon TTPs in the ANY.RUN Sandbox The tactics and techniques of Blackmoon mapped in the sandbox

The use of a Proxy Auto-Config (PAC) file further enhances stealth, allowing BlackMoon to intercept and manipulate web traffic without immediately arousing suspicion. Beyond credential theft and phishing, BlackMoon maintains communication with its command-and-control (C&C) servers to receive updates and instructions. It retrieves encoded configuration blocks from hardcoded URLs, dictating operational parameters and target websites. This communication channel is critical for retaining control over infected devices and adjusting to new targets or evasion methods.

Overall, BlackMoon’s carefully orchestrated, multi-stage downloader framework maximizes stealth and efficiency in delivering its malicious payload. This layered approach not only complicates analysis for security researchers but also enhances its effectiveness in compromising financial institutions and stealing sensitive user information.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Threat Intelligence on BlackMoon Ransomware

Explore BlackMoon’s IOCs, IOBs and IOAs via ANY.RUN’s Threat Intelligence Lookup searches and collect data for setting up detection and response in your network.

BlackMoon in the ANY.RUN TI Lookup TI Lookup overview of a malicious file associated with Blackmoon attacks

Leverage TI feeds to track C2 infrastructure, malware hashes, keep a watch over evolving tactics of KRBanker via MITRE ATT&CK mappings. For example, we can use the following query filePath:"ZhuDongFangYu.exe" to find sandbox reports featuring the file named ZhuDongFangYu commonly used in BlackMoon attacks.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

BlackMoon malware distribution methods

KRBanker typically spreads through:

  • Drive-by Downloads: Users visiting compromised or malicious websites can get infected via exploit kits that use browser vulnerabilities.
  • Phishing Emails & Social Engineering: Victims receive malicious attachments or links leading to fake banking login pages.
  • Trojanized Software: Users install malware disguised as legitimate banking or security tools.

Conclusion

BlackMoon remains highly dangerous because it leads directly to financial losses through critical data theft. Its stealthy evasion techniques, 2FA bypasses, and browser manipulation also put it in the high-risk group. Using threat intelligence-driven detection and response, security teams can monitor IOCs, implement behavioral analytics, and harden authentication mechanisms to combat this evolving banking malware threat.

Sign up for ANY.RUN to analyze malware and phishing threats for free.

HAVE A LOOK AT

LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
Emmenhtal screenshot
Emmenhtal
emmenhtal
First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More