Cisco Talos: Zeus spawn “Floki bot” malware gaining use, cyber-underworld notoriety

Cisco says Floki bot can be used to infect PoS terminals with the ultimate goal of stealing credit card data

03 shipping malware
Thinkstock

Cisco’s Talos security group this week warned that a variant of trojan monster Zeus has begun to garner a following in the cyber-underworld as a hard-to-detect attack mechanism.

“[Floki bot] is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011. Rather than simply copying the features that were present within the Zeus trojan ‘as-is’, Floki Bot claims to feature several new capabilities making it an attractive tool for criminals,” Talos wrote.

+More on Network World: 20 years ago: Hot sci/tech images from 1996+

“During our analysis of Floki bot, Talos identified modifications that had been made to the dropper mechanism present in the leaked Zeus source code in an attempt to make Floki Bot more difficult to detect. Talos also observed the introduction of new code that allows Floki bot to make use of the Tor network. However, this functionality does not appear to be active for the time being,” Talos wrote. Talos said it collaborated with Flashpoint during the analysis of Floki Bot and the security company wrote of Floki bot as well, stating : “A few months ago, Flashpoint analysts became interested in a Brazilian actor who uses the pseudonym “Floki bot.” This actor is remarkable for a number of reasons, in particular their presence in a number of top-tier underground communities across a range of languages. The actor is perhaps most interesting, however, because of their activity in the development and maturing of a Trojan known as “Floki bot,” which was offered for $1,000 in Bitcoins. By obtaining intelligence from the Deep & Dark Web and in coordination with Talos, Flashpoint monitored malware campaigns associated with Floki bot.”

+More on Network World: IBM: Many companies still ill-prepared for cyber attacks+

Flashpoint also wrote:

  • Actor “floki bot” advertised their new malware kit, similarly named “Floki Bot,” on a top-tier underground forum on September 16, 2016. 

  • “Floki bot” draws from the source code of the ZeuS 2.0.8.9 Trojan but reinvents the dropper process injection. 

  • The new feature of this malware kit appears to be a dump grabber, which, according to the actor, makes Floki bot the weapon of choice for targeting point of sale terminals. 

  • Floki bot also employs a different network protocol than ZeuS that allows it to avoid detection by Deep Packet Inspection.
  • The malware kit also allows the malware to feed configuration files in an encrypted state to its bots via Gate[.]php calls, as opposed to in a separate payload (as in ZeuS).
  • Floki bot’s ability to grab credit card information using memory hooks is unique. Due to these capabilities, Floki bot asserts that the malware in its current state can be used to infect PoS terminals with the ultimate goal of exfiltrating credit card data during card-present transactions.

Talos added that it is making scripts available to the open source community that will help malware analysts automate portions of the Floki bot analysis process and make the process of analyzing Floki bot easier to perform.

Zeus may not be the pain it once was but its impact is still being felt.

Check Point’s Threat Intelligence Research Team recently found that both the number of active malware families and number of attacks increased by 5% during October, pushing the number of attacks on business networks to near peak levels. Locky ransomware attacks continued to rise, moving it up from third to second place, while the Zeus banking trojan moved up two spots, returning it to the top three.

Check Point wrote that Conficker retained its first place position as the world’s most prevalent malware, responsible for 17% of recognized attacks. Both second placed Locky, which only started its distribution in February of this year, and third placed Zeus, were responsible for 5% of known attacks.

From Check Point:

1.   Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.

2.   Locky – Ransomware, which started its distribution in February 2016, and spreads mainly through spam emails containing a downloader disguised as a Word or Zip file attachment, which then downloads and installs the malware that encrypts the user files.

3.   Zeus – Trojan that targets Windows platforms and is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.

Check out these other hot stories:

Cisco whacks its Secure Access Control System

IBM amps-up Watson cybersecurity experiences

Big Switch adds security perimeter around SDN data center

Juniper boosts cloud analytics, machine learning tech with AppFormix buy

IBM warns of rising VoIP cyber-attacks

DARPA building space consortium to set standards for safe robotic maneuvers

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT