Malware gangs, like sad wedding bands, love to play the hits. And one of the hits they keep running back over and over is the Zeus banking Trojan, which has been in use for many years in a number of different forms. Researchers have unearthed a new piece of malware called Floki Bot that is based on the venerable Zeus source code and is being used to infect point-of-sale systems, among other targets.
Floki Bot is apparently the work of a Brazilian author who has been selling the malware on underground forums for the last few months. The price, at $1,000, is relatively low, but the malware delivers some high-end capabilities for that price. One of the ways that attackers have had success making money in recent years is infecting PoS devices and scraping payment card data. It’s an effective way to steal a high volume of card data in a short amount of time.
Attackers are using Floki Bot do just that, researchers say. The malware is based on the Zeus source code, which was leaked online several years ago and has been the basis for many other malware variants in the interim.
“One way in which flokibot’s technical competency has evolved is in the actor’s use of hooking methods to capture track data from PoS devices. While the malware originates from the well-known ZeuS 188.8.131.52 source code, flokibot adds this hooking method to grab track data from memory thereby extending the malware operations beyond regular banking trojan functionality making it more potent and versatile,” Vitali Kremez, a senior intelligence analyst at Flashpoint, wrote in an analysis of the malware.
Flashpoint conducted the analysis of Floki Bot with Cisco’s Talos research team, and the two organizations said that the author behind the bot maintains a presence on a number of different underground forums, some of which are in Russian or other non-native languages for him. Kremez said that attackers sometimes will participate in foreign language forums as a way to expand their knowledge.
“While Brazilian cybercriminals are not typically as technically sophisticated as their Russian counterparts, they will often solicit new forms of malware (to include point of sale [PoS] ransomware and banking Trojans), or offer their own services. It appears that a presence on Russian DDW communities may be a likely factor in flokibot’s progression,” he said.
Along with its PoS infection capability, Floki Bot also has a feature that allows it to use the Tor network to communicate.
“During our analysis of Floki Bot, Talos identified modifications that had been made to the dropper mechanism present in the leaked Zeus source code in an attempt to make Floki Bot more difficult to detect. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network. However, this functionality does not appear to be active for the time being,” Cisco’s Talos team said in its analysis.
Developing malware from scratch is a difficult, costly, and time-consuming process. That’s why attackers love to beg, buy, or steal other people’s work and modify it to fit their own needs. Cisco’s researchers said the recent success of Floki Bot will likely continue as it finds a receptive audience.
“As Floki Bot is currently being actively bought and sold on several darknet markets it will likely continue to be seen in the wild as cybercriminals continue to attempt to leverage it to attack systems in an aim to monetize their efforts,” Cisco’s team said.