Blackmoon

Category: banking_trojan · Aliases: None known · Sample count (EMBER 2018): 228 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Blackmoon is a classic, highly destructive banking trojan historically notorious for targeting Asian financial institutions, employing aggressive memory scraping and web-injection techniques to steal credentials and authorize fraudulent transactions.

Understanding Blackmoon
To the victim, a Blackmoon infection often goes unnoticed until massive unauthorized withdrawals appear on their bank statements. For incident responders, Blackmoon represents a severe financial threat. It acts as a Man-in-the-Browser (MitB), silently intercepting the communication between the user's web browser and the banking portal to steal login credentials, circumvent two-factor authentication (2FA), and alter transaction details on the fly.

Execution and Evasion Strategies
Blackmoon is primarily distributed through targeted malspam campaigns containing malicious ZIP attachments or via compromised watering hole websites. Upon execution, it injects its core DLL payload into browser processes (like iexplore.exe, chrome.exe, or firefox.exe). It establishes persistence via the Registry Run keys. Once injected, Blackmoon uses API hooking (specifically targeting functions like InternetReadFile and HttpSendRequest) to intercept HTTP/HTTPS traffic before it is encrypted by the browser. It then downloads dynamic 'web-inject' configuration files from its C2 server, allowing it to modify the HTML of specific banking sites to prompt users for additional sensitive information (like ATM PINs or mother's maiden name).

Indicators of Compromise & Impact
The impact is direct and severe financial loss. Threat hunters should investigate EDR alerts related to 'Suspicious Browser Injection' or 'API Hooking Detected'. Network logs will reveal Blackmoon establishing encrypted connections (often using custom RC4) to its C2 infrastructure to exfiltrate stolen credentials and receive updated web-injects. The presence of hidden configuration files in the %AppData% directory is a strong IoC.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1185Browser Session HijackingCollection
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1056.004Input Capture: Credential API HookingCredential Access
T1105Ingress Tool TransferCommand and Control
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderPersistence

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_BLACKMOON {
    meta:
        description = "Detects Blackmoon (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "blackmoon" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Blackmoon Activity
id: d10b8da5104f387422df5da828a9537b
status: experimental
description: Detects generic indicators of the blackmoon malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*blackmoon*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Immediately isolate the endpoint from the network to halt the active exfiltration of banking credentials and prevent fraudulent transactions.
  2. Assist the user in immediately contacting their financial institutions to freeze accounts, block recent transactions, and reset all banking passwords.
  3. Capture a live memory image (RAM dump) to extract the injected Blackmoon DLLs and the downloaded web-inject configuration files.
  4. Perform a clean OS rebuild; banking trojans establish deep, complex hooks that are difficult to fully eradicate manually.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not allow the user to access any online banking or financial portals while the machine is infected.
  2. Avoid relying solely on clearing browser cookies or caches; the malware is injected directly into the browser's process memory.

References & External Analysis

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/blackmoon.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.