Blackmoon is a banking trojan, first discovered in 2014, used to steal user credentials from South Korean banking institutions. It is typically distributed via exploit kits, malicious websites, or malicious advertisements. The trojan uses a proxy auto-config (PAC) file to redirect users to phishing pages controlled by the threat actors. This file - used to determine proxy servers of web browsers for certain URLs - contains a JavaScript function for intercepting user credentials. The trojan uses a dropper to distribute its malicious payload. The dropper contains anti-debugging capabilities used to control how the program is executed and to prevent analysis from dynamic debuggers. Once Blackmoon is downloaded, it creates a process CACLS.EXE that is overwritten with the trojan's main payload containing a backdoor and credential-stealing capabilities. It then downloads its configuration from a social media site that responds with the C2 IP address so it can make contact and send information. In late 2016, threat actors were observed utilizing a framework consisting of three separate downloader pieces to deliver the Blackmoon trojan. These threat actors continue to target South Korean users and financial institutions.


  • May 2017: Blackmoon Banking Trojan Back with New Modular Framework. (Fidelis)

Technical Details

  • Fortinet provides technical details on the Blackmoon trojan, available here.