The exploit kit Floki Bot was discovered in September 2016 being advertised for $1,000 on a hacker forum. According to the developer, Floki Bot was designed to be multipurpose and bypass antivirus protection. To accomplish this, it decompresses its payload and is injected via NtReadVirtualMemory, eventually becoming a part of a system parent process. Additional modifications include using another network protocol to conceal itself from Deep Packet Inspection and provide a source of encrypted configuration files to bots through gate[.]php. Floki Bot reportedly has a distinctive capability to exfiltrate payment card information during live point-of-sale terminal transactions.
Reporting and Technical Details
- October 2016: Floki Bot is based on the ZeuS 220.127.116.11 Trojan source code. (Flashpoint)