Multi-Purpose ‘Floki Bot’ Emerges as New Malware Kit

Background

On September 16, 2016, threat actor “flokibot” advertised their new malware kit, similarly named “Floki Bot,” on a top-tier Russian cybercriminal forum.

flokibot posted the following:

Floki Bot


Dropper

Injects payload in zombie process without decrypting it inside dropper. Payload does not go through NtWriteVirtualMemory/NtMapViewOfSection calls but instead

a PE loader is injected that uses NtReadVirtualMemory then decompresses, decrypts and executes it.

Decompression and decryption of payload only happens in zombie process (explorer.exe or svchost.exe). 


After launch of payload in zombie process, payload injects itself in all running 32-bit processes.


Execution rate – 70%+. 


Payload 
Based on Zeus 2.0.8.9 source-code. Payload uses a different communication protocol that cannot be detected by Deep-Packet-Inspection unlike Zeus (Packets dont look like Zeus). Config is transfered to bot directly through gate.php encrypted.


All reports are written to HDD and then transfered in a single request to command and control center. This system reduces stress on server allowing you to hold more bots than it would send requests one by one (zeus) and ensures you dont loose a single report in case of downtime. Configuration file and dropper is automatically updated from webpanel using MD5 checks done by bot itself. Configuration supports unlimited URL. 


Feature List:

Track 2 Grabber + Keylogger for CVV

Using memory hooks, it grabs all Track 2 with very low CPU usage. Standard scanner/grabber misses some Track 2 because it can be removed from memory before scan but with memory hooks this case cannot happen.

Track 2 data is analyzed and reported as what possible credit-card it is (Visa, Master-card, etc).

Formgrabber and Webinjects for Internet Explorer and Mozilla Firefox

Cookies grabber for Internet Explorer
Ring-3 Rootkit unhookerBot will attempt to remove all inline hooks by reading and mapping original file and comparing bytes.
Hook ProtectionBot intercept NtProtectVirtualMemory calls to protect its own hooks against unhookers.
Backconnect SOCKS/VNC currently is not available as it is being recoded. Chrome webinjects and Webfakes will be available in future.

Price: 1000$, Bitcoin is only accepted payment method. Escrow is accepted.

Assessment

Floki Bot involves an interesting dropper method – the method in which the malware accomplishes process injection. In order to frustrate anti-virus detection measures, Floki Bot injects its decompressed payload leveraging the portable executable (PE) loader API call known as “NtReadVirtualMemory,” then decrypts it into a parent process. Based on the floki developer’s testimony, this technique allows the malware to bypass anti-virus detection – so much so that flokibot claims this dropper has a 70 percent execution success rate. By contrast, flokibot asserts that ZeuS 2.0.8.9’s execution rate was only 30 percent.

Although this malware is based on publicly-available ZeuS source code, flokibot has made several notable modifications. Besides the dropper method, Floki Bot also employs a different network protocol than ZeuS that allows it to avoid detection by Deep Packet Inspection (DPI). The malware kit also allows the malware to feed configuration files in an encrypted state to its bots via Gate[.]php calls, as opposed to in a separate payload (as in ZeuS).

Finally, the Floki Bot’s ability to grab credit card information using memory hooks is unique. Due to these capabilities, flokibot asserts that the malware in its current state can be used to infect PoS terminals with the ultimate goal of exfiltrating credit card data during card-present transactions.