Floki Bot Improves on Zeus Banking Code to Grab PoS Info

Written by

Floki Bot, a new financial malware variant, has been uncovered offered for sale on various darknet markets.

According to Cisco Talos and Flashpoint research, Floki Bot is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011. But rather than simply copying the features that were present within the Zeus trojan "as-is,” Floki Bot claims to feature several new capabilities making it an even more attractive tool for criminals.

“During our analysis of Floki Bot, Talos identified modifications that had been made to the dropper mechanism present in the leaked Zeus source code in an attempt to make Floki Bot more difficult to detect,” said Talos researchers, in an analysis. “Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network. However, this functionality does not appear to be active for the time being.”

And Flashpoint researchers found that one way in which Floki Bot’s technical competency has evolved is in the actor’s use of hooking methods to capture track data from PoS devices.

“While the malware originates from the well-known ZeuS source code, flokibot adds this hooking method to grab track data from memory, thereby extending the malware operations beyond regular banking trojan functionality making it more potent and versatile,” Flashpoint noted in its own analysis.  

Flashpoint attributes the malware to a Brazilian actor who uses the pseudonym “flokibot.” He or she is a “connector” that overlaps between criminal communities and across disparate language forums. Connectors are individuals who interact on forums that are maintained outside of their country of residence and import knowledge and tools into their native communities.

“This actor is remarkable for a number of reasons, in particular their presence in a number of top-tier underground communities across a range of languages,” Flashpoint said. “The actor is perhaps most interesting, however, because of their activity in the development and maturing of a Trojan known as Floki Bot, which was offered for $1,000 USD in Bitcoins.”

Meanwhile, through the use of the FIRST framework during the analysis process, Talos was able to quickly identify code/function reuse between Zeus and Floki Bot.

“As Floki Bot is currently being actively bought and sold on several darknet markets it will likely continue to be seen in the wild as cybercriminals continue to attempt to leverage it to attack systems in an aim to monetize their efforts,” Talos researchers said. “As the leak of the Zeus source code continues to have ripple effects across the threat landscape.”

Talos also is making scripts available to the open-source community that will help malware analysts automate portions of the Floki Bot analysis process and make the process of analyzing Floki Bot easier to perform.

Photo © zamzawai isa

What’s hot on Infosecurity Magazine?