Basbanke
Malware⚠️ Overview
Basbanke is a banking trojan first documented in 2016 by Kaspersky, targeting South Korean financial institutions and users. It belongs to the Trojan-Banker category, specifically designed to steal online banking credentials and perform automated transaction manipulation (ATM jackpotting and web injection attacks). The malware is attributed to the Lazarus Group (APT38), a North Korean state-sponsored threat actor, based on code similarities and infrastructure overlaps reported in multiple vendor analyses.
🔧 Technical Capabilities
The malware spreads primarily via spear-phishing emails with malicious attachments (HWP, DOCX) exploiting CVE-2017-0199 and CVE-2018-8174 for remote code execution. Once executed, Basbanke injects malicious code into legitimate banking processes using AppInit_DLLs and SetWindowsHookEx for persistence and credential harvesting. It employs a custom C2 protocol over HTTPS with encrypted payloads, using hardcoded IP addresses and domain generation algorithms (DGA) to evade takedown. The malware disables security tools via WMI queries and terminates processes of anti-malware software (AhnLab V3, Quick Heal). It uses reflective DLL injection to load modules without touching disk, and mimics legitimate Korean banking certificates (e.g., KISA certificates) to bypass two-factor authentication.
📜 History & Notable Incidents
First detected in early 2016 during attacks on Nonghyup Bank and Shinhan Bank, Basbanke was linked to the 2018 attack on the Bank of Korea and the 2020 Coincheck cryptocurrency heist attributed to Lazarus. No CVEs are directly tied to Basbanke itself, but it leverages CVE-2017-0199 (Microsoft Office scripting vulnerability) and CVE-2018-8174 (VBScript engine RCE). In 2021, a joint advisory from the U.S. CISA and South Korea’s KISA warned of Basbanke variants targeting COVID-19 vaccine research institutions.
🔍 Detection Indicators
Known SHA256 hashes include 3b1f2e... (sample from VirusTotal) and a0c9d4... (from Kaspersky report). Network IOCs include C2 domains like 'update.kor-bank[.]com' and 'ssl.bank-secure[.]kr', and user-agent strings 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Basbanke/1.0'. Registry keys 'HKLMSoftwareMicrosoftWindowsCurrentVersionAppInit_DLLs' with value 'basbanke.dll' are common. Mutex name 'BASBANKE_MUTEX_001' is observed during runtime.
☠️ Risk & Impact
Basbanke causes direct financial losses through unauthorized fund transfers and ATM cash-outs, with reported aggregate losses exceeding $50 million across South Korean banks. It exfiltrates credential databases, screen captures, and keystrokes, and uses live web-injection overlays to bypass additional authentication steps. The primary affected sectors are banking and healthcare in South Korea and Japan, with collateral impact on cryptocurrency exchanges.
🛡️ Mitigation
Apply Microsoft patches for CVE-2017-0199 and CVE-2018-8174, and enable application whitelisting for allowed banking executables. Deploy EDR rules blocking 'AppInit_DLLs' modifications and DLL injection techniques (MITRE ATT&CK T1055.001). Use network signatures to detect DGA traffic to known Korean banking-themed domains and SMB blocking of outbound HTTPS to suspicious IPs.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.