Trusted Design

FortiGuard Lion: A Peek into BlackMoon’s Sustained Attacks against South Korea

概要

by Roland Dela Paz | Jul 21, 2016 | A few months ago, we talked about a malicious campaign that targets South Korean users in the form of malware known as BlackMoon. BlackMoon is a banking Trojan that installs a proxy auto-config file (PAC) on an infected system in order to redirect users’ browsers to phishing pages related to South Korean banks. Back then, we noticed an open directory in the C&C that revealed over 100,000 victims. Given this impact, we decided to dig further in order to understand better the scale of this attack. Mainly, we wanted to know if the statistics displayed by the C2 were real. If so, then we are looking at a not well talked about but highly active attack against South Korean users. This post shares our findings from ten weeks of monitoring this threat.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

Mustard Tempest

Score: 8.28
Matched TTPs:
  • T1583.008 - Malvertising
  • T1608.001 - Upload Malware
  • T1189 - Drive-by Compromise
MITREへのリンク →

Sidewinder

Score: 3.95
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Scattered Spider

Score: 22.72
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1217 - Browser Information Discovery
  • T1657 - Financial Theft
  • T1204 - User Execution
  • T1598 - Phishing for Information
  • T1538 - Cloud Service Dashboard
  • T1003.003 - NTDS
MITREへのリンク →

Mustang Panda

Score: 18.35
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1593 - Search Open Websites/Domains
  • T1203 - Exploitation for Client Execution
  • T1027.007 - Dynamic API Resolution
  • T1564.001 - Hidden Files and Directories
  • T1003.003 - NTDS
MITREへのリンク →

Sandworm Team

Score: 24.33
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1190 - Exploit Public-Facing Application
  • T1591.002 - Business Relationships
  • T1584.005 - Botnet
  • T1593 - Search Open Websites/Domains
  • T1592.002 - Software
  • T1203 - Exploitation for Client Execution
  • T1003.003 - NTDS
MITREへのリンク →

ZIRCONIUM

Score: 5.90
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1598 - Phishing for Information
MITREへのリンク →

APT32

Score: 10.36
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1564.001 - Hidden Files and Directories
MITREへのリンク →

Kimsuky

Score: 18.30
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1190 - Exploit Public-Facing Application
  • T1657 - Financial Theft
  • T1593 - Search Open Websites/Domains
  • T1055.012 - Process Hollowing
  • T1598 - Phishing for Information
MITREへのリンク →

Magic Hound

Score: 12.06
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1190 - Exploit Public-Facing Application
  • T1592.002 - Software
  • T1189 - Drive-by Compromise
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

APT28

Score: 24.30
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1598 - Phishing for Information
  • T1189 - Drive-by Compromise
  • T1498 - Network Denial of Service
  • T1564.001 - Hidden Files and Directories
  • T1003.003 - NTDS
  • T1550.001 - Application Access Token
MITREへのリンク →

Star Blizzard

Score: 7.72
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1593 - Search Open Websites/Domains
MITREへのリンク →

Moonstone Sleet

Score: 13.68
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1608.001 - Upload Malware
  • T1217 - Browser Information Discovery
  • T1598 - Phishing for Information
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

CURIUM

Score: 10.37
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1584.006 - Web Services
  • T1189 - Drive-by Compromise
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Dragonfly

Score: 13.37
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1190 - Exploit Public-Facing Application
  • T1591.002 - Business Relationships
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1003.003 - NTDS
MITREへのリンク →

Patchwork

Score: 8.87
Matched TTPs:
  • T1598.003 - Spearphishing Link
  • T1055.012 - Process Hollowing
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

TA2541

Score: 11.02
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1055.012 - Process Hollowing
  • T1573.002 - Asymmetric Cryptography
  • T1027.015 - Compression
MITREへのリンク →

Earth Lusca

Score: 8.83
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1190 - Exploit Public-Facing Application
  • T1584.006 - Web Services
  • T1189 - Drive-by Compromise
MITREへのリンク →

LuminousMoth

Score: 4.64
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1564.001 - Hidden Files and Directories
MITREへのリンク →

OilRig

Score: 13.27
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1203 - Exploitation for Client Execution
  • T1137.004 - Outlook Home Page
  • T1573.002 - Asymmetric Cryptography
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Gamaredon Group

Score: 5.12
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1027.015 - Compression
MITREへのリンク →

Threat Group-3390

Score: 13.01
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1190 - Exploit Public-Facing Application
  • T1055.012 - Process Hollowing
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1027.015 - Compression
MITREへのリンク →

BlackByte

Score: 6.59
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1190 - Exploit Public-Facing Application
  • T1055.012 - Process Hollowing
MITREへのリンク →

BITTER

Score: 3.47
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Saint Bear

Score: 3.47
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Contagious Interview

Score: 14.44
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1681 - Search Threat Vendor Data
  • T1657 - Financial Theft
  • T1593 - Search Open Websites/Domains
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

FIN7

Score: 6.11
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1190 - Exploit Public-Facing Application
  • T1564.001 - Hidden Files and Directories
MITREへのリンク →

EXOTIC LILY

Score: 5.99
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1203 - Exploitation for Client Execution
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

APT42

Score: 4.72
Matched TTPs:
  • T1608.001 - Upload Malware
  • T1573.002 - Asymmetric Cryptography
MITREへのリンク →

Rocke

Score: 4.14
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1564.001 - Hidden Files and Directories
MITREへのリンク →

Volt Typhoon

Score: 14.00
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1217 - Browser Information Discovery
  • T1584.005 - Botnet
  • T1593 - Search Open Websites/Domains
  • T1003.003 - NTDS
MITREへのリンク →

FIN13

Score: 13.54
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1657 - Financial Theft
  • T1565 - Data Manipulation
  • T1564.001 - Hidden Files and Directories
  • T1003.003 - NTDS
MITREへのリンク →

Medusa Group

Score: 17.24
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1657 - Financial Theft
  • T1573.002 - Asymmetric Cryptography
  • T1003.003 - NTDS
  • T1529 - System Shutdown/Reboot
  • T1218.014 - MMC
MITREへのリンク →

Storm-0501

Score: 3.99
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1657 - Financial Theft
MITREへのリンク →

Fox Kitten

Score: 7.10
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1217 - Browser Information Discovery
  • T1003.003 - NTDS
MITREへのリンク →

Cinnamon Tempest

Score: 3.99
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1657 - Financial Theft
MITREへのリンク →

Ke3chang

Score: 3.81
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1003.003 - NTDS
MITREへのリンク →

menuPass

Score: 6.96
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1055.012 - Process Hollowing
  • T1003.003 - NTDS
MITREへのリンク →

ToddyCat

Score: 3.99
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Winter Vivern

Score: 6.86
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1584.006 - Web Services
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT29

Score: 5.49
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Leviathan

Score: 7.88
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1027.015 - Compression
MITREへのリンク →

INC Ransom

Score: 3.99
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1657 - Financial Theft
MITREへのリンク →

UNC3886

Score: 11.23
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1681 - Search Threat Vendor Data
  • T1205.001 - Port Knocking
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Axiom

Score: 8.35
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1584.005 - Botnet
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

APT41

Score: 5.30
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1003.003 - NTDS
MITREへのリンク →

Play

Score: 3.99
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1657 - Financial Theft
MITREへのリンク →

HAFNIUM

Score: 18.77
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1592.004 - Client Configurations
  • T1584.005 - Botnet
  • T1564.001 - Hidden Files and Directories
  • T1003.003 - NTDS
  • T1550.001 - Application Access Token
MITREへのリンク →

APT38

Score: 8.67
Matched TTPs:
  • T1217 - Browser Information Discovery
  • T1189 - Drive-by Compromise
  • T1529 - System Shutdown/Reboot
MITREへのリンク →

Chimera

Score: 5.63
Matched TTPs:
  • T1217 - Browser Information Discovery
  • T1003.003 - NTDS
MITREへのリンク →

LAPSUS$

Score: 10.32
Matched TTPs:
  • T1591.002 - Business Relationships
  • T1204 - User Execution
  • T1003.003 - NTDS
MITREへのリンク →

PROMETHIUM

Score: 5.90
Matched TTPs:
  • T1205.001 - Port Knocking
  • T1189 - Drive-by Compromise
MITREへのリンク →

Turla

Score: 5.39
Matched TTPs:
  • T1584.006 - Web Services
  • T1189 - Drive-by Compromise
MITREへのリンク →

Gorgon Group

Score: 3.15
Matched TTPs:
  • T1055.012 - Process Hollowing
MITREへのリンク →

Andariel

Score: 7.10
Matched TTPs:
  • T1592.002 - Software
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

Lazarus Group

Score: 16.20
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1027.007 - Dynamic API Resolution
  • T1564.001 - Hidden Files and Directories
  • T1566.003 - Spearphishing via Service
  • T1529 - System Shutdown/Reboot
MITREへのリンク →

Higaisa

Score: 4.65
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1027.015 - Compression
MITREへのリンク →

Cobalt Group

Score: 4.24
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1573.002 - Asymmetric Cryptography
MITREへのリンク →

APT37

Score: 6.88
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1529 - System Shutdown/Reboot
MITREへのリンク →

BRONZE BUTLER

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

Transparent Tribe

Score: 5.92
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
  • T1564.001 - Hidden Files and Directories
MITREへのリンク →

Tropic Trooper

Score: 6.91
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1573.002 - Asymmetric Cryptography
  • T1564.001 - Hidden Files and Directories
MITREへのリンク →

Elderwood

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

Darkhotel

Score: 3.26
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1189 - Drive-by Compromise
MITREへのリンク →

RedCurl

Score: 5.41
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1564.001 - Hidden Files and Directories
MITREへのリンク →

FIN6

Score: 7.61
Matched TTPs:
  • T1573.002 - Asymmetric Cryptography
  • T1003.003 - NTDS
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

PLATINUM

Score: 6.30
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1056.004 - Credential API Hooking
MITREへのリンク →

Windshift

Score: 4.29
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Dark Caracal

Score: 4.29
Matched TTPs:
  • T1189 - Drive-by Compromise
  • T1566.003 - Spearphishing via Service
MITREへのリンク →

Equation

Score: 4.13
Matched TTPs:
  • T1564.005 - Hidden File System
MITREへのリンク →

Strider

Score: 4.13
Matched TTPs:
  • T1564.005 - Hidden File System
MITREへのリンク →

Molerats

Score: 3.15
Matched TTPs:
  • T1027.015 - Compression
MITREへのリンク →

Mofang

Score: 3.15
Matched TTPs:
  • T1027.015 - Compression
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

APT28

Score: 0.85
Matched TTPs:
  • T1550.001 - Application Access Token
  • T1003.003 - NTDS
  • T1598 - Phishing for Information
  • T1189 - Drive-by Compromise
  • T1203 - Exploitation for Client Execution
  • T1190 - Exploit Public-Facing Application
  • T1498 - Network Denial of Service
  • T1564.001 - Hidden Files and Directories
  • T1598.003 - Spearphishing Link
MITREへのリンク →

Sandworm Team

Score: 0.85
Matched TTPs:
  • T1003.003 - NTDS
  • T1608.001 - Upload Malware
  • T1592.002 - Software
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1593 - Search Open Websites/Domains
  • T1598.003 - Spearphishing Link
  • T1584.005 - Botnet
  • T1591.002 - Business Relationships
MITREへのリンク →

Scattered Spider

Score: 0.78
Matched TTPs:
  • T1003.003 - NTDS
  • T1538 - Cloud Service Dashboard
  • T1598 - Phishing for Information
  • T1204 - User Execution
  • T1217 - Browser Information Discovery
  • T1598.003 - Spearphishing Link
  • T1657 - Financial Theft
MITREへのリンク →

Kimsuky

Score: 0.68
Matched TTPs:
  • T1055.012 - Process Hollowing
  • T1598 - Phishing for Information
  • T1608.001 - Upload Malware
  • T1190 - Exploit Public-Facing Application
  • T1593 - Search Open Websites/Domains
  • T1598.003 - Spearphishing Link
  • T1657 - Financial Theft
MITREへのリンク →

Mustang Panda

Score: 0.68
Matched TTPs:
  • T1003.003 - NTDS
  • T1608.001 - Upload Malware
  • T1203 - Exploitation for Client Execution
  • T1593 - Search Open Websites/Domains
  • T1027.007 - Dynamic API Resolution
  • T1564.001 - Hidden Files and Directories
  • T1598.003 - Spearphishing Link
MITREへのリンク →

HAFNIUM

Score: 0.66
Matched TTPs:
  • T1550.001 - Application Access Token
  • T1592.004 - Client Configurations
  • T1190 - Exploit Public-Facing Application
  • T1564.001 - Hidden Files and Directories
  • T1003.003 - NTDS
  • T1584.005 - Botnet
MITREへのリンク →

Medusa Group

Score: 0.63
Matched TTPs:
  • T1218.014 - MMC
  • T1190 - Exploit Public-Facing Application
  • T1529 - System Shutdown/Reboot
  • T1573.002 - Asymmetric Cryptography
  • T1003.003 - NTDS
  • T1657 - Financial Theft
MITREへのリンク →

Lazarus Group

Score: 0.62
Matched TTPs:
  • T1566.003 - Spearphishing via Service
  • T1189 - Drive-by Compromise
  • T1203 - Exploitation for Client Execution
  • T1027.007 - Dynamic API Resolution
  • T1564.001 - Hidden Files and Directories
  • T1529 - System Shutdown/Reboot
MITREへのリンク →

Contagious Interview

Score: 0.55
Matched TTPs:
  • T1566.003 - Spearphishing via Service
  • T1608.001 - Upload Malware
  • T1593 - Search Open Websites/Domains
  • T1681 - Search Threat Vendor Data
  • T1657 - Financial Theft
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る