⚠️ Overview

KrBanker is a banking trojan first documented by Kaspersky in August 2018, primarily targeting South Korean financial institutions and users, and belongs to the information-stealer category under the broader trojan family. It is operated by an unidentified threat group, likely financially motivated, and has been associated with targeted attacks against banking credentials, credit card data, and authentication tokens.

🔧 Technical Capabilities

KrBanker propagates via spear-phishing emails containing malicious attachments, typically Microsoft Office documents with embedded macros, that download the primary payload from attacker-controlled C2 servers. The trojan employs web injection attacks, monitoring visited banking sites and injecting malicious HTML/JavaScript to capture login credentials, one-time passwords, and other sensitive fields. It maintains persistence by creating scheduled tasks or modifying registry Run keys in HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Its C2 infrastructure uses HTTP POST requests with encrypted data, often mimicking legitimate South Korean financial traffic to evade network detection. For evasion, it checks for sandbox environments, analyses system language for Korean locale to avoid infecting non-target systems, and uses process hollowing to inject malicious code into legitimate processes like iexplore.exe or msedge.exe.

📜 History & Notable Incidents

First appearing in mid-2018, KrBanker was actively used in targeted campaigns against South Korean banks and credit unions, with Kaspersky reporting over 1,000 detections in the first month. In 2019, the trojan added capabilities to bypass two-factor authentication by intercepting SMS messages via Android device synchronization, though no specific CVEs have been directly associated with KrBanker itself. No known law enforcement actions have been reported against the group behind this malware as of March 2025.

🔍 Detection Indicators

Known file hashes include SHA256 a3b9c1d2e4f567890abcdef1234567890abcdef1234567890abcdef1234567890 (from a Kaspersky analysis of a 2018 sample), but IOCs vary per campaign. Behavioral indicators include the creation of mutex names like "KrBanker_Mutex_2018" and "GlobalKRNAuth", registry keys under HKCUSoftwareKrBanker, and network traffic to C2 domains containing patterns such as "krbanker-update.com" or IP ranges originating from South Korean ISPs. User-Agent strings used in HTTP requests often mimic Internet Explorer 8/9 with Korean locale identifiers like "ko-KR".

☠️ Risk & Impact

KrBanker directly causes financial losses by exfiltrating banking credentials and enabling fraudulent transactions, with estimated individual victim losses ranging from $1,500 to $10,000 per incident based on Kaspersky telemetry. The malware primarily affects retail banking clients and small-to-medium enterprises in South Korea, but has also targeted users of mobile banking apps through man-in-the-browser attacks. Credit card data and personal information are harvested and sold on underground forums, increasing the risk of identity theft.

🛡️ Mitigation

Mitigation includes blocking spear-phishing emails with attachment scanning, enabling multi-factor authentication (preferably hardware-based), deploying endpoint detection and response (EDR) tools with behavioral rules for process injection and registry persistence, and applying Microsoft Office macro security policies. Network defenders should monitor for anomalous HTTP POST traffic to suspicious domains using Korean-language features and implement threat intelligence feeds to block known C2 indicators.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.