Cybercrime

From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > Multi-Purpose “Floki Bot” Emerges as New Malware Kit

Multi-Purpose “Floki Bot” Emerges as New Malware Kit

emerging threats

Key Findings 

  • Actor “flokibot” advertised their new malware kit, similarly named “Floki Bot,” on a top-tier underground forum on September 16, 2016. 

  • “Floki Bot” draws from the source code of the ZeuS 2.0.8.9 Trojan but reinvents the dropper process injection. 

  • The new feature of this malware kit appears to be a dump grabber, which, according to the actor, makes Floki Bot the weapon of choice for targeting point of sale (PoS) terminals. 

  • This malware kit, offered for $1,000 USD, may gain some traction among financially-motivated cybercriminals on a top-tier underground forum.


 

Background

On September 16, 2016, actor “flokibot” advertised their new malware kit, similarly named “Floki Bot,” on a top-tier Russian cybercriminal forum.


flokibot posted the following:

Floki Bot


Dropper

Injects payload in zombie process without decrypting it inside dropper. Payload does not go through NtWriteVirtualMemory/NtMapViewOfSection calls but instead

a PE loader is injected that uses NtReadVirtualMemory then decompresses, decrypts and executes it.

Decompression and decryption of payload only happens in zombie process (explorer.exe or svchost.exe). 


After launch of payload in zombie process, payload injects itself in all running 32-bit processes.

Execution rate – 70%+. 


Payload 
Based on Zeus 2.0.8.9 source-code. Payload uses a different communication protocol that cannot be detected by Deep-Packet-Inspection unlike Zeus (Packets dont look like Zeus). Config is transfered to bot directly through gate.php encrypted.


All reports are written to HDD and then transfered in a single request to command and control center. This system reduces stress on server allowing you to hold more bots than it would send requests one by one (zeus) and ensures you dont loose a single report in case of downtime. Configuration file and dropper is automatically updated from webpanel using MD5 checks done by bot itself. Configuration supports unlimited URL. 


Feature List:

Track 2 Grabber + Keylogger for CVV

Using memory hooks, it grabs all Track 2 with very low CPU usage. Standard scanner/grabber misses some Track 2 because it can be removed from memory before scan but with memory hooks this case cannot happen.

Track 2 data is analyzed and reported as what possible credit-card it is (Visa, Master-card, etc).

Formgrabber and Webinjects for Internet Explorer and Mozilla Firefox

Cookies grabber for Internet Explorer
Ring-3 Rootkit unhooker
Bot will attempt to remove all inline hooks by reading and mapping original file and comparing bytes.
Hook Protection
Bot intercept NtProtectVirtualMemory calls to protect its own hooks against unhookers.
Backconnect SOCKS/VNC currently is not available as it is being recoded. Chrome webinjects and Webfakes will be available in future.
Price: 1000$, Bitcoin is only accepted payment method. Escrow is accepted.


Assessment

Floki Bot involves an interesting dropper method – the method in which the malware accomplishes process injection. In order to frustrate anti-virus detection measures, Floki Bot injects its decompressed payload leveraging the portable executable (PE) loader API call known as “NtReadVirtualMemory,” then decrypts it into a parent process. Based on the floki developer’s testimony, this technique allows the malware to bypass anti-virus detection – so much so that flokibot claims this dropper has a 70 percent execution success rate. By contrast, flokibot asserts that ZeuS 2.0.8.9’s execution rate was only 30 percent.

Although this malware is based on publicly-available ZeuS source code, flokibot has made several notable modifications. Besides the dropper method, Floki Bot also employs a different network protocol than ZeuS that allows it to avoid detection by Deep Packet Inspection (DPI). The malware kit also allows the malware to feed configuration files in an encrypted state to its bots via Gate[.]php calls, as opposed to in a separate payload (as in ZeuS).

Finally, the Floki Bot’s ability to grab credit card information using memory hooks is unique. Due to these capabilities, flokibot asserts that the malware in its current state can be used to infect PoS terminals with the ultimate goal of exfiltrating credit card data during card-present transactions.

Related Posts

About the author: Vitali Kremez

Vitali Kremez is a Director of Research at Flashpoint. He oversees analyst collection efforts and leads a technical team that specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents. Vitali is a strong believer in responsible disclosure and has helped enterprises and government agencies deliver indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft. Previously, Vitali enjoyed a rewarding career as an Cybercrime Investigative Analyst for the New York County District Attorney's Office.

He has earned the majority of certifications available in the information technology, information security, digital forensics, and fraud intelligence fields. A renowned expert, speaker, blogger, and columnist, Vitali has contributed articles to Dark Reading, BusinessReview, and Infosecurity Magazine and is a frequent commentator on cybercrime, hacking incidents, policy, and security.