Researchers have observed an uptick in attacks using the banking malware Floki Bot against U.S., Canadian and Brazilian banks, and insurance firms.
Floki Bot, which uses code from the once notorious Zeus banking Trojan, has evolved and unlike its predecessor, is targeting point-of-sale systems via aggressive spear phishing campaigns and the RIG exploit kit.
Cisco Talos and Flashpoint security researchers coordinated the release of reports on Floki Bot on Wednesday. Both firms warn the malware is quickly gaining popularity within Dark Web criminal forums.
“Floki Bot is currently being actively bought and sold on several darknet markets,” wrote Cisco Talos in its report released Wednesday. “It will likely continue to be seen in the wild as cybercriminals continue to attempt to leverage it to attack systems in an aim to monetize their efforts.”
This most recent version of Floki Bot, spotted in September, is based on the Zeus 184.108.40.206 source code released in 2011. There have been several incarnations of Floki Bot since then, however this most recent version is being developed, marketed and sold by a shrewd hacker that goes by the same name as the malware.
“This actor is remarkable for a number of reasons, in particular their presence in a number of top-tier underground communities across a range of languages (Portuguese, English and Russian),” wrote Vitali Kremez, senior intelligence analyst at Flashpoint in a report also released Wednesday. Kremez believes Flokibot’s native language is Portuguese and that the hacker is based in Brazil.
Typical infections stem from spear phishing attacks where victims are enticed to enable malicious macros in Microsoft Word documents sent as email attachments. Once enabled, the macro retrieves the Floki Bot malware, according to Kremez.
“Once the malware is executed, it attempts to inject malicious code into ‘explorer.exe’ – the Microsoft Windows file manager,” according to Talos’ technical analysis of the inject sequence of the Floki Bot malware code. “If it is unable to open ‘explorer.exe’, it will then inject into ‘svchost.exe’.”
The injection is a PE file (bot32). “The sample we analyzed is hardcoded to only pass the address of the ‘bot32’ resource to the injected payload,” Cisco Talos wrote. “At every stage, the malware uses hashing to obfuscate module and function names used in dynamic library resolution.”
According to Flashpoint researchers Floki Bot differs significantly from the Zeus that was distributed in mass spam campaigns. Zeus also did not include PoS scraping functionality and was absent of any antivirus obfuscation techniques discovered in Floki Bot in November.
“While the malware originates from the well-known Zeus 220.127.116.11 source code, Floki Bot adds a hooking method to grab track data from memory thereby extending the malware operations beyond regular banking Trojan functionality, making it more potent and versatile,” Kremez wrote.
Other distinctions between Floki Bot and Zeus include Floki Bot availability on the Dark Web selling for $1,000. The Zeus variant called GameOver, on the other hand, was only distributed to a close circle of criminal gangs and sold for $15,000 in its prime, Kremez said.
“Floki Bot is currently being used by 10 cyber-criminal gangs,” Kremez said. “GameOver Zeus, in its heyday, was used by only five exclusive gangs.”
In 2007, Zeus malware earned notoriety for compromising nearly 75,000 websites owned by the likes of ABC, Bank of America and Oracle. In 2013, the Zeus code was used to construct Citadel malware, known for its cunning ability to steal personal, banking and financial information. Denmark-based Heimdal Security reported in April that Zeus code had been re-purposed to create the variant Atmos malware, which went on to target banks in France. Atmos can either scrape data from its target computer or simply hide out and collect user credentials.
Another interesting distinction between ZeuS and Floki Bot is the presence of Tor network support in the source code. Talos says the Tor support code is non-functional and “appears to be under development and could not be activated in the samples.”
Both Cisco and Flashpoint warn that those behind Floki Bot have worked hard to lower the technical bar needed for cyber criminals to use the tool.
“The time required to attain a high level of skill and sophistication has been continuously reduced. As criminals share information to defeat protections, we should be sharing it as well with our community to defeat threats,” Flashpoint wrote.