Multi-Purpose “Floki Bot” Emerges as New Malware Kit
- Actor “flokibot” advertised their new malware kit, similarly named “Floki Bot,” on a top-tier underground forum on September 16, 2016.
- “Floki Bot” draws from the source code of the ZeuS 18.104.22.168 Trojan but reinvents the dropper process injection.
- The new feature of this malware kit appears to be a dump grabber, which, according to the actor, makes Floki Bot the weapon of choice for targeting point of sale (PoS) terminals.
- This malware kit, offered for $1,000 USD, may gain some traction among financially-motivated cybercriminals on a top-tier underground forum.
On September 16, 2016, actor “flokibot” advertised their new malware kit, similarly named “Floki Bot,” on a top-tier Russian cybercriminal forum.
flokibot posted the following:
Injects payload in zombie process without decrypting it inside dropper. Payload does not go through NtWriteVirtualMemory/NtMapViewOfSection calls but instead
a PE loader is injected that uses NtReadVirtualMemory then decompresses, decrypts and executes it.
Decompression and decryption of payload only happens in zombie process (explorer.exe or svchost.exe).
After launch of payload in zombie process, payload injects itself in all running 32-bit processes.
Execution rate – 70%+.
Payload Based on Zeus 22.214.171.124 source-code. Payload uses a different communication protocol that cannot be detected by Deep-Packet-Inspection unlike Zeus (Packets dont look like Zeus). Config is transfered to bot directly through gate.php encrypted.
All reports are written to HDD and then transfered in a single request to command and control center. This system reduces stress on server allowing you to hold more bots than it would send requests one by one (zeus) and ensures you dont loose a single report in case of downtime. Configuration file and dropper is automatically updated from webpanel using MD5 checks done by bot itself. Configuration supports unlimited URL.
Track 2 Grabber + Keylogger for CVV
Using memory hooks, it grabs all Track 2 with very low CPU usage. Standard scanner/grabber misses some Track 2 because it can be removed from memory before scan but with memory hooks this case cannot happen.
Track 2 data is analyzed and reported as what possible credit-card it is (Visa, Master-card, etc).
Formgrabber and Webinjects for Internet Explorer and Mozilla Firefox
Cookies grabber for Internet Explorer
Ring-3 Rootkit unhooker Bot will attempt to remove all inline hooks by reading and mapping original file and comparing bytes.
Hook Protection Bot intercept NtProtectVirtualMemory calls to protect its own hooks against unhookers.
Backconnect SOCKS/VNC currently is not available as it is being recoded. Chrome webinjects and Webfakes will be available in future.
Price: 1000$, Bitcoin is only accepted payment method. Escrow is accepted.
Floki Bot involves an interesting dropper method – the method in which the malware accomplishes process injection. In order to frustrate anti-virus detection measures, Floki Bot injects its decompressed payload leveraging the portable executable (PE) loader API call known as “NtReadVirtualMemory,” then decrypts it into a parent process. Based on the floki developer’s testimony, this technique allows the malware to bypass anti-virus detection – so much so that flokibot claims this dropper has a 70 percent execution success rate. By contrast, flokibot asserts that ZeuS 126.96.36.199’s execution rate was only 30 percent.
Although this malware is based on publicly-available ZeuS source code, flokibot has made several notable modifications. Besides the dropper method, Floki Bot also employs a different network protocol than ZeuS that allows it to avoid detection by Deep Packet Inspection (DPI). The malware kit also allows the malware to feed configuration files in an encrypted state to its bots via Gate[.]php calls, as opposed to in a separate payload (as in ZeuS).
Finally, the Floki Bot’s ability to grab credit card information using memory hooks is unique. Due to these capabilities, flokibot asserts that the malware in its current state can be used to infect PoS terminals with the ultimate goal of exfiltrating credit card data during card-present transactions.