December 12, 2016 By Douglas Bonderud 2 min read

A new banking malware is being sold on several Dark Web markets as a way to grab point-of-sale (POS) data. According to Threatpost, the hot new Floki Bot is based on the Zeus 2.0.8.9 source code.

In many ways, it surpasses its predecessor in terms of scope and severity. Researchers have now observed the bot in action across U.S., Canadian and Brazilian banks and insurance firms. Is the little bot with the funny name the internet’s new financial nightmare?

Life of the POS Party

Cybercriminals targeting POS data isn’t anything new. As noted by SC Magazine, there was a 400 percent uptick in POS malware across the U.S. during Thanksgiving weekend, with both NewPOSthings and the ever-popular ZeusPOS making appearances.

While security teams anticipated a boost in predatory POS behavior from Black Friday through Cyber Monday, researchers from security firm Proofpoint noted that “the spikes were dramatic.” In other words, cybercriminals are now doubling down when it comes to high-traffic shopping days, and why not when there’s simply so much POS data to grab?

Floki Bot is one of the newer variants on the scene. According to security expert Dr. Peter Stephenson, this bot has been gaining ground since September when it started appearing in Dark Web marketplaces. Floki’s author has been talking up its capabilities, claiming it can escape deep packet inspection and read track 2 credit card data. The malware also boasts a 70 percent execution rate over Zeus’ 30 percent clip.

While some of these talking points may be more marketing hype than measurable results, Stephenson did find Floki harder than average to track down during a deep packet inspection. Floki is now being used by at least 10 cybercriminal gangs who can buy it for $1,000 on Alphabay or other Dark Web sites. At its prime, Zeus went for $15,000 and was used by just five cybergangs. Floki Bot may be the new life of the POS party.

Floki Bot Is No Fluke

As noted by Infosecurity Magazine, Floki Bot doesn’t just repurpose the Zeus code leaked back in 2011, but actually makes a number of improvements. For example, the author added hooking methods to grab credit card track data from memory, making it more versatile than most other banking Trojans.

It’s using a combination of targeted spear phishing campaigns and the RIG exploit kit to infect banks and insurance firms across the U.S., Canada and Brazil. That’s a much bolder move than its progenitor, which preferred subtlety and specificity over generalized attacks.

It’s also worth noting that the malware is adaptable and aggressive. Once executed, it attempts to infect explorer.exe. If that fails, it opts for svchost.exe, while simultaneously hashing every stage of its process to obfuscate actions and confound security teams.

Additionally, there’s dormant Tor code in the new bot that appears to be a work in progress since security researchers couldn’t get it to activate. That could make the POS malware even more frustrating if both origin and destination IPs are covered by Tor’s anonymity.

While the name doesn’t exactly inspire fear, this up-and-coming piece of Zeus-inspired malware is proving to be quite the POS problem. It could turn into a nightmare with enough backers and a boost to its latent Tor code.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today