Floki Bot, is a new banking malware variant that hide itself from anti-virus is out now for buy and purchase in underground marker. Floki bot has been made with the leaked source code of infamous Zeus Trojan.
Floki Bot claims to include several new and devastating feature rather than simply copying the feature. According to the advertisement on dark network market, Floki claims its capability to make stealthy injections and evasion techniques.
The source code of Zeus Trojan was leaked in 2011. Research to the new malware was done by collective team of Talos Intel and Flashpoint and they identified modification that had been made to make Floki bit different from Zeus.
“Once the malware is executed, it attempts to inject malicious code into ‘explorer.exe’ – the Microsoft Windows file manager,” said research done by Talos and Flashpoint. “If it is unable to open ‘explorer.exe’, it will then inject into ‘svchost.exe’,” added the researchers.
Floki involves interesting method in which the malware does process injection. In order to evade from anti-viruses, Floki injects its payload in Zombie processes like ‘explorer.exe’. The decryption and execution happens in zombie process itself. According to the Floki makers, this helps Floki evade the detection software.
Command and Control over HTTPS
The researchers asserted that, Floki Bot communicates with Command and control servers over an HTTPS connection. The command and control server is said to be spread over many regions, including Ukrain, Singapore, Brazil etc. upon analyzing, it is found that many of C2 IPs are listed in Spam Hous blacklist database.
The Floki malware based on Zeus source code has been claimed with 70% of success rate as compare to the original Zeus whose success rate was 30%.
“Spear Phishing” as Delivery mechanism
The researches identifies, in the initial phase, cyber criminals are using spear phishing mechanism for Floki payload delivery. For this, they are weaponize Microsoft word documents with malicious code in its macro and send it to the targeted audience over mails as an attachment. Once the target (victim) receives the mail and open the attachment and in case the macro is enabled on victim’s machine, the malicious payload is executed which retrieves the Floki Bot malware on intruders server.
The Floki Bot has got a unique ability to fetch credit card information using memory hooks. Due to these capabilities, researchers asserted that Floki bot can be used to infect Point-of-Sales terminals and gain credit card data during transactions.