Security researchers from Cisco Talos and Flashpoint have conducted an investigation of the Floki Bot in a joint effort.
The Floki bot is a banking Trojan based on Zeus that has been sold on cybercrime underground since September 2016. The malware was developed starting from the Zeus source code that was leaked in 2011, it is offered for $1,000 worth of bitcoins. However, researchers determined that the malware includes some new capabilities, including anti-detection features.
“Floki Bot is a new malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan, the source code of which was leaked in 2011.” reads the analysis published by the Talos Team. “Rather than simply copying the features that were present within the Zeus trojan “as-is”, Floki Bot claims to feature several new capabilities making it an attractive tool for criminals.”
The Floki bot is rapidly evolving, the authors implemented new features, including sophisticated anti-detection techniques and the use of the Tor network.
The malware researchers at Talos discovered a new source code that allows the threat to use the Tor network, but the feature seems to be still not active.
“During our analysis of Floki Bot, Talos identified modifications that had been made to the dropper mechanism present in the leaked Zeus source code in an attempt to make Floki Bot more difficult to detect. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network.” continues the analysis.
The experts from Flashpoint speculate that the Floki Bot has a Brazilian origin, the threat actor behind the malware is currently using the “flokibot” moniker and communicates in Portuguese. It targets Brazilian IPs and domains and targeted systems have default language set to Portuguese.
The “flokibot” actor act as a sort of “connector,” he is present in several major crime communities across the world, particularly Russian and English-speaking dark web communities.
Even the analysis of its activity in the underground suggests that the actor is located in Brazil, it is most active on underground forums during hours within Brazil’s UTC -3 timezone.
“Beyond the unique intelligence obtained by Flashpoint analysts and the campaign targeting Brazil, flokibot, a Portuguese-speaking member of English and Russian-language communities, was identified by several markers as very likely to be Brazilian” states the analysis published by FlashPoint.
• Use of the Portuguese language within the actor’s communications
• Targeting computers with the default language set to Portuguese
• Targeting Brazilian domains or IP ranges
• Targeting computers with the default timezone set to Brazil UTC -03:00
• Other unique intelligence obtained by Flashpoint analysts
The presence of flokibot in several major underground communities suggests the gang import knowledge and tools into the Brazilian cybercrime underground.
“While Brazilian cybercriminals are not typically as technically sophisticated as their Russian counterparts, they will often solicit new forms of malware (to include point of sale [PoS] ransomware and banking Trojans), or offer their own services,” Vitali Kremez, senior intelligence analyst at Flashpoint, said in a blog post. “It appears that a presence on Russian [Deep and Dark Web] communities may be a likely factor in flokibot’s progression.”
Researchers discovered that the new strain of Floki Bot also includes the code to scrape payment card data from the memory PoS systems.
“One way in which flokibot’s technical competency has evolved is in the actor’s use of hooking methods to capture track data from PoS devices. While the malware originates from the well-known ZeuS 126.96.36.199 source code, flokibot adds this hooking method to grab track data from memory thereby extending the malware operations beyond regular banking trojan functionality making it more potent and versatile.” states FlashPoint.
A campaign analyzed by Flashpoint revealed that 225 Floki bots have collected a total of 1,375 card dumps.
Researchers have observed a spike in the number of attacks based on Floki Bot against U.S., Canadian and Brazilian banks, and insurance firms.
Both Talos and Flashpoint will continue monitoring the threat.
(Security Affairs – Floki bot, trojan)