FlokiBot

FlokiBot, a banking Trojan created using code from Zeus, was first discovered in 2016 and spiked in attacks during the latter half of that year. It evolved in these first few months, gaining new capabilities including anti-detection features and use of the Tor network. Researchers believe the Trojan has origins in Brazil as the suspected threat actor communicates in Portuguese and the Trojan has largely targeted Brazilian IPs and domains, along with other markers. Recently, researchers discovered code in a new variant of FlokiBot, granting it the ability to scrape payment card data from the memory of point-of-sale (PoS) systems. The Trojan has been increasingly used in attacks against U.S., Canadian, and Brazilian banks and insurance firms. Floki Bot typically infects via spearphishing attacks attempting to convince recipients to open a Microsoft Word document and enable the malicious macros. Once the macros are enabled, the FlokiBot malware is executed. The Trojan attempts to inject malicious code into explorer.exe in the Windows File Manager. If explorer.exe is unsuccessful, it will inject into svchost.exe. FlokiBot continues to use hashing to obfuscate module and function names used in the dynamic library resolution. Researchers at Flashpoint claim the Trojan is used by 10 different cybercrime gangs and is sold for $1,000 in Bitcoin in several Darknet markets.

Reporting

  • January 2017: Researchers discovered the malware targeting point-of-sale (PoS) infrastructure mainly in Brazil, and in Australia, the U.S., Paraguay, Croatia, the Dominican Republic, and Argentina. (Arbor Networks)

Technical Details

  • Flashpoint provides a technical analysis of FlokiBot, available here.

One example of the Floki Bot Trojan. Image Source: Flashpoint