BlackMoon virus

BlackMoon banking Trojan steals people’s banking information and delivers SkyStarts ransomware as a second payload

BlackMoon trojan

BlackMoon trojan

BlackMoon is a reference to a trojan virus, which has been first spotted on the landscape in 2014. Many cybersecurity vendors recognize it as W32/Banbra on the bases of its detection name. This specific malware example has been developed with an intention to steal the victim’s banking information by redirecting the victim to phishing websites.

This malicious cyber infection used to be extremely active until 2016 and then got idle until 2018 when experts spotted new strains of the trojan in an active development phase. The renewed BlackMoon trojan sample has been submitted on VirusTotal in autumn 2018. A year later the SonicWall Capture Labs Threat Research Team released a report that the infamous banking trojan evolved into a double payload malware. 

Once installed, the renewed Trojan executes malicious activities allowing criminals to steal user’s credentials and, upon a second phase, downloads SkyStars ransomware. The latter is known for encrypting personal files and appending .SKYSTARTS extension. In contrast to other ransomware-type viruses, it does not generate a ransom note, nor provides instructions on how to pay a ransom or encrypt files. ThIt mainly targets computer users in the East Asia region, mostly in Japan, China, and South Korea.

Once it gets into the victim’s computer system, it drops various infectious files. The Trojan introduces itself as a DLL file, which can be launched via the rundll32.exe executable file. This banking Trojan is designed to reroute the user to fraudulent websites whenever he/she attempts to access a search engine or an online banking portal via one of the affected web browsers. BlackMoon virus can modify all the major web browsers on Windows, including Mozilla Firefox, Google Chrome, and Microsoft Edge.

Before rerouting the user to a phishing website, the Trojan showcases a message (which can be presented in Korean, Japanese, or Chinese language), which states that the user has to complete “the security certification process,” which can be finished by signing into a bank account. Of course, this is nothing more than a scam, because then the user gets rerouted to a phishing website and all information he/she enters falls into cybercriminals’ hands.

This trojan can also collect information including the victim’s personal and work phone number, social security numbers, credit card details, keystrokes, passwords, and similar sensitive data. It reaches crooks’ Command and Control servers and can be used for illegal purposes immediately.

BlackMoon trojan virus
BlackMoon is a trojan virus that steals victim’s credentials and then downloads SkyStars ransomware as a second payload

BlackMoon trojan virus
BlackMoon is a trojan virus that steals victim’s credentials and then downloads SkyStars ransomware as a second payload

If you presume that your computer has been compromised by this malware, do not wait and remove BlackMoon Banking Trojan from your PC immediately. You can check if your computer is infected with some kind of malware and remove it with anti-malware software.

We suggest using SpyHunter 5Combo Cleaner or Malwarebytes malware removal tool to detect and delete spyware/malware threats from the computer. Sadly, the manual removal of this Trojan would be a time-consuming process, which eventually would end up in failure. The manual decontamination of Trojan files is practically impossible. Finally, experts highly recommend fixing trojan damage upon its removal. AV tool is not likely to restore registry entries, corrupted or deleted files, and processes. Thus, try using Reimage Reimage Cleaner Intego system recovery tool. 

Trojans infect PCs via hacked websites or malicious spam attachments

Reportedly, BlackMoon Trojan spreads via drive-by downloads, which means it can get into the victim’s computer system by taking advantage of vulnerabilities in outdated software. Additionally, this variant of malware can be downloaded in conjunction with fake software updates, typically Java Player or Flash Player updates.

While these programs are entirely legitimate, cybercriminals tend to exploit users’ trust in these programs by bundling infectious files with them and promoting such modified updates via insecure Internet sites. Therefore, we highly advise you to stay away from unknown websites and avoid downloading well-known software from them because such downloads can contain malicious files and severely damage your computer system.

Needless to say, you should always keep all your programs up-to-date and also protect your computer with a strong anti-malware solution. It is advisable to purchase a full package of services that your AV developers have to offer. 

A guide on how to remove BlackMoon malware from the computer system

BlackMoon virus is a highly dangerous computer threat, and you should NOT try to deal with it unless you are an IT expert. It is a well-programmed piece of software, which tends to hide its executive files under safe-sounding filenames.

BlackMoon removal should be done automatically, using powerful anti-malware software. We recommend scanning the entire computer system a few times to ensure this threat is entirely removed. Then we suggest changing all your passwords, logins, PINs, and other essential information to prevent cybercriminals from stealing your money from your bank accounts.

We recommend using SpyHunter 5Combo Cleaner program to remove BlackMoon virus. Do not fall for panic if you cannot load AV scanner as long as you try. Trojan may be blocking AV load processes, so you may need to restart your PC into Safe Mode with Networking. 

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-05-15 at 05:00 and is filed under Trojans, Viruses.