The Zeus malware, first identified in 2007, consistently made headlines for major hacks and breaches. And now, according to a recent press release from two security firms, the Zeus malware evolved into something potentially more dangerous. Security researchers first spotted this new form malware in September 2016. According to the announcement from Talos and Flashpoint researchers, the new malware—Floki Bot—rapidly gained popularity on the darknet at the low cost of $1,000.
Cybersecurity specialists discovered Zeus after bad actors used the malware on US DoT computers. Andrew Jaquith, a security researcher at the Yankee Group, told Reuters that “this particular sample of malware was not recognized by existing antivirus software. It was able to slip through enterprise defenses.” To this day, antivirus software lacks the ability to consistently—if ever—pick up on Zeus’s presence.
The creator of Zeus then uploaded the source code online; thus, security analysts and hundreds of hackers obtained copies of said source code. Researchers started to understand Zeus and how to prevent the malware from circumventing antivirus programs. And then bad actors changed their malware just enough to render antivirus software useless. Two examples of Zeus variations that users created with the original bot’s modified source code were the Gameover ZeuS and the Tiny Banker Trojan.
The creator of the Floki Bot, though, designed a piece of malware that consisted—and acted—in a different manner than Zeus ever did. Furthermore, based on the program’s improved rate of success and unique methods of attack, Peter Stephenson, SC Media’s “Threat Hunter” editor, said the Floki Bot was “no Zeus wannabe.” Most analysts came to a similar conclusion: that the Floki Bot contained references to the Zeus malware but that it stood out from other Zeus variations—if it could be considered one.
נם “Although this malware is based on publicly-available ZeuS source code, flokibot has made several notable modifications,” Flashpoint wrote. The developer of the malware now known as Floki Bot operated under the appropriate pseudonym flokibot. And flokibot—the username, not the malware—attracted attention well before the first recorded breach by the actual malware.
The Floki Bot malware, while maintaining the Zeus architecture, used a new dropper method to execute the payload. The Floki Bot developer also changed the network protocol that Zeus used to avoid internet traffic based detection via Deep Packet Inspection. According to researchers and news headlines, the most worrisome feature the Floki Bot brought to the table consisted of a unique method of credit card theft. The creator of this malware designed the perfect PoS targeting tool and advertised it accordingly.
Floki Bot’s description on the Alphabay listing and an undisclosed Russian forum:
Dropper: Injects payload in zombie process without decrypting it inside dropper. Payload does not go through NtWriteVirtualMemory/NtMapViewOfSection calls but instead a PE loader is injected that uses NtReadVirtualMemory then decompresses, decodes and executes it. Decompression and decryption of payload only happen in zombie process (explorer.exe or svchost.exe). After the launch of payload in zombie process, payload injects itself in all running 32-bit processes. Execution rate – 70%+.
Payload: Based on Zeus 126.96.36.199 source-code. Payload uses a different communication protocol that cannot be detected by Deep-Packet-Inspection unlike Zeus (Packets do not look like Zeus). Config is transferred to bot directly through gate.php encrypted. All reports are written to HDD and then redeployed in a single request to command and control center. This system reduces stress on the server allowing you to hold more bots than it would send requests one by one (Zeus) and ensures you do not lose a single report in case of downtime. The configuration file and the dropper are automatically updated from web panel using MD5 checks done by bot itself. The configuration supports unlimited URL.
Feature List: Track 2 Grabber + Keylogger for CVV. Using memory hooks, it grabs all Track 2 with little CPU usage. Standard scanner/grabber misses some Track 2 because it can be removed from memory before the scan but with memory hooks, this case cannot happen. Track 2 data is analyzed and reported as what possible credit-card it is (Visa, Master-card, etc). Formgrabber and Web inject for Internet Explorer and Mozilla Firefox. Cookies grabber for Internet Explorer. Ring-3 Rootkit unhooked Bot will attempt to remove all inline hooks by reading and mapping original file and comparing bytes. Hook Protection Bot intercept NtProtectVirtualMemory calls to protect its hooks against run hookers. Backconnect SOCKS/VNC currently is not available as it is being recoded. Chrome web injects, and Webfakes will be available in future.
Price: 1000$, Bitcoin is only accepted payment method. Escrow is accepted.
SC Media tested Floki after the release and verified many of the developer’s claims. The conclusion: the Loki Bot was not the work of a script kiddie but, rather, the bot should be watched with caution.