December 12, 2016 By Douglas Bonderud 2 min read

A new banking malware is being sold on several Dark Web markets as a way to grab point-of-sale (POS) data. According to Threatpost, the hot new Floki Bot is based on the Zeus 2.0.8.9 source code.

In many ways, it surpasses its predecessor in terms of scope and severity. Researchers have now observed the bot in action across U.S., Canadian and Brazilian banks and insurance firms. Is the little bot with the funny name the internet’s new financial nightmare?

Life of the POS Party

Cybercriminals targeting POS data isn’t anything new. As noted by SC Magazine, there was a 400 percent uptick in POS malware across the U.S. during Thanksgiving weekend, with both NewPOSthings and the ever-popular ZeusPOS making appearances.

While security teams anticipated a boost in predatory POS behavior from Black Friday through Cyber Monday, researchers from security firm Proofpoint noted that “the spikes were dramatic.” In other words, cybercriminals are now doubling down when it comes to high-traffic shopping days, and why not when there’s simply so much POS data to grab?

Floki Bot is one of the newer variants on the scene. According to security expert Dr. Peter Stephenson, this bot has been gaining ground since September when it started appearing in Dark Web marketplaces. Floki’s author has been talking up its capabilities, claiming it can escape deep packet inspection and read track 2 credit card data. The malware also boasts a 70 percent execution rate over Zeus’ 30 percent clip.

While some of these talking points may be more marketing hype than measurable results, Stephenson did find Floki harder than average to track down during a deep packet inspection. Floki is now being used by at least 10 cybercriminal gangs who can buy it for $1,000 on Alphabay or other Dark Web sites. At its prime, Zeus went for $15,000 and was used by just five cybergangs. Floki Bot may be the new life of the POS party.

Floki Bot Is No Fluke

As noted by Infosecurity Magazine, Floki Bot doesn’t just repurpose the Zeus code leaked back in 2011, but actually makes a number of improvements. For example, the author added hooking methods to grab credit card track data from memory, making it more versatile than most other banking Trojans.

It’s using a combination of targeted spear phishing campaigns and the RIG exploit kit to infect banks and insurance firms across the U.S., Canada and Brazil. That’s a much bolder move than its progenitor, which preferred subtlety and specificity over generalized attacks.

It’s also worth noting that the malware is adaptable and aggressive. Once executed, it attempts to infect explorer.exe. If that fails, it opts for svchost.exe, while simultaneously hashing every stage of its process to obfuscate actions and confound security teams.

Additionally, there’s dormant Tor code in the new bot that appears to be a work in progress since security researchers couldn’t get it to activate. That could make the POS malware even more frustrating if both origin and destination IPs are covered by Tor’s anonymity.

While the name doesn’t exactly inspire fear, this up-and-coming piece of Zeus-inspired malware is proving to be quite the POS problem. It could turn into a nightmare with enough backers and a boost to its latent Tor code.

More from

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today