Floki Bot, a new financial oriented malware, is popular with English, Portuguese, and Russian speaking underground criminal markets, winning over cybercriminals with new features and functionality. It is currently being used by a number of different cybercrime groups around the world and is being sold on the dark market for about $1,000 according to Flashpoint and Cisco Talos.
Floki Bot is a great example of evolutionary release-reuse tactics of hackers. Based upon the venerable Zeus Trojan 126.96.36.199 source code, which was released many years ago, this new bot variant sports many different technologies to bypass detection and eradication by security tools. It has an updated engine to avoid Deep Packet Inspection (DPI), a method for cybersecurity used to detect malicious software, and extensibility to use The Onion Router (TOR) network for masking network traffic sources. It uses a number of obfuscation techniques to hide its sensitive code. Floki Bot also sports advanced methods to capture data from one of their primary targets, Point-of-Sale (PoS) devices. Overall, it keeps many of the Zeus banking Trojan tricks while adding upgrades to stay current with the latest security controls and tactics.
Based upon communication traffic analysis, it is believed that several different parties, possibly of different languages, might have contributed to the creation of this malware. As hackers do collaborate well, the result brings together a capable new malware to the stage. This is becoming more common. Bits of code and various experts working together to develop the next generation of malware.
In some cases, it is not intentional. There are several examples of when Nation States have conducted cyberattacks and other parties intercepted their well-developed code, only to reverse-engineer it, and use the parts they found interesting in their own projects. This is the way of the next generation malware author. They don’t need to know everything themselves. They can leverage a community for assistance and even reuse the best parts of other groups code for maximum effect.
Protections Must Adapt
If Floki Bot is any indication of the evolution for malware, we should expect faster cycles of release for more virulent code and methods. Teamwork will increase as groups work together to monetize efforts and fleece victims in more efficient and creative ways. The cybersecurity industry is not only fighting the malicious technology, but also the people who are innovating and collaborating to undermine the security, safety, and privacy of us all.