Replace Rapid7 tracks a staged Blackmoon/KRBanker campaign that started in late 2022, focusing on evasion and persistence rather than credential theft to drop multiple unwanted programs and linger in victims’ environments in the USA and Canada. The operation uses several techniques to evade defenses, maintain access, and monetize through traffic-stealing tools and miners.
#Blackmoon #KRBanker #EternalBlue #DoublePulsar #XMRig #Traffmonetizer #IproyalPawns
#Blackmoon #KRBanker #EternalBlue #DoublePulsar #XMRig #Traffmonetizer #IproyalPawns
Keypoints
- Rapid7 tracks a newer, more sophisticated Blackmoon (KRBanker) campaign launched around November 2022, targeting US and Canadian businesses.
- Stage 1 uses Port Monitor persistence, registry modifications, and defense evasion to drop RunDllExe.dll and disable security mechanisms.
- Stage 2 uses Process Hollowing to inject into svchost.exe and fetch the next payload.
- Stage 3 involves a downloader that creates specific registry values and downloads multiple components (e.g., MpMgSvc.dll, Hooks.exe, MpMgSvc.exe, WmiPrSER.exe) before execution.
- Stage 5–6 deploy dropper/traffic-stealers (ctfmoon.exe and traffmonetizer.exe) and monetize through Iproyal Pawns and Traffmonetizer traffic-stealers.
- Campaign includes lateral movement components (EternalBlue/DoublePulsar) and miner tooling (XMRig) to harvest resources.
- MITRE-aligned techniques highlight persistence, defense evasion, lateral movement, discovery, impact, and C2 behavior in the campaign.
MITRE Techniques
- [T1547.010] Port Monitors – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1543.003] Windows Service – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1055.012] Process Hollowing – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1562.001] Disable or Modify Tools – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1210] Exploitation of Remote Services – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1135] Network Share Discovery – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1496] Resource Hijacking – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1489] Service Stop – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
- [T1071.001] Web Protocols – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
Indicators of Compromise
- [File name] context – 445.exe (Blackmoon Trojan), RunDllExe.dll (Injector)
- [SHA-256] context – a95737adb2cd7b1af2291d143200a82d8d32a868c64fb4acc542608f56a0aeda, F5D508C816E485E05DF5F58450D623DC6BFA35A2A0682C238286D82B4B476FBB
- [File name] context – Hook.exe (Dropper), MpMgSvc.exe (Spreader)
- [SHA-256] context – 1A7A4B5E7C645316A6AD59E26054A95654615219CC03657D6834C9DA7219E99F, 72B0DA797EA4FC76BA4DB6AD131056257965DF9B2BCF26CE2189AF3DBEC5B1FC
- [File name] context – WmiPrSER.exe (XMRig miner)
- [SHA-256] context – ECC5A64D97D4ADB41ED9332E4C0F5DC7DC02A64A77817438D27FC31C69F7C1D3
- [C2 URL] context – hxxp://down.ftp21[.]cc
- [Email] context – [email protected]
- [Token] context – 1gUgURMzQiuGFgttIdjeZBS0G6fqFlVvhCKlqzfHd3o=
Read more: https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/