December 12, 2016 By Douglas Bonderud 2 min read

A new banking malware is being sold on several Dark Web markets as a way to grab point-of-sale (POS) data. According to Threatpost, the hot new Floki Bot is based on the Zeus 2.0.8.9 source code.

In many ways, it surpasses its predecessor in terms of scope and severity. Researchers have now observed the bot in action across U.S., Canadian and Brazilian banks and insurance firms. Is the little bot with the funny name the internet’s new financial nightmare?

Life of the POS Party

Cybercriminals targeting POS data isn’t anything new. As noted by SC Magazine, there was a 400 percent uptick in POS malware across the U.S. during Thanksgiving weekend, with both NewPOSthings and the ever-popular ZeusPOS making appearances.

While security teams anticipated a boost in predatory POS behavior from Black Friday through Cyber Monday, researchers from security firm Proofpoint noted that “the spikes were dramatic.” In other words, cybercriminals are now doubling down when it comes to high-traffic shopping days, and why not when there’s simply so much POS data to grab?

Floki Bot is one of the newer variants on the scene. According to security expert Dr. Peter Stephenson, this bot has been gaining ground since September when it started appearing in Dark Web marketplaces. Floki’s author has been talking up its capabilities, claiming it can escape deep packet inspection and read track 2 credit card data. The malware also boasts a 70 percent execution rate over Zeus’ 30 percent clip.

While some of these talking points may be more marketing hype than measurable results, Stephenson did find Floki harder than average to track down during a deep packet inspection. Floki is now being used by at least 10 cybercriminal gangs who can buy it for $1,000 on Alphabay or other Dark Web sites. At its prime, Zeus went for $15,000 and was used by just five cybergangs. Floki Bot may be the new life of the POS party.

Floki Bot Is No Fluke

As noted by Infosecurity Magazine, Floki Bot doesn’t just repurpose the Zeus code leaked back in 2011, but actually makes a number of improvements. For example, the author added hooking methods to grab credit card track data from memory, making it more versatile than most other banking Trojans.

It’s using a combination of targeted spear phishing campaigns and the RIG exploit kit to infect banks and insurance firms across the U.S., Canada and Brazil. That’s a much bolder move than its progenitor, which preferred subtlety and specificity over generalized attacks.

It’s also worth noting that the malware is adaptable and aggressive. Once executed, it attempts to infect explorer.exe. If that fails, it opts for svchost.exe, while simultaneously hashing every stage of its process to obfuscate actions and confound security teams.

Additionally, there’s dormant Tor code in the new bot that appears to be a work in progress since security researchers couldn’t get it to activate. That could make the POS malware even more frustrating if both origin and destination IPs are covered by Tor’s anonymity.

While the name doesn’t exactly inspire fear, this up-and-coming piece of Zeus-inspired malware is proving to be quite the POS problem. It could turn into a nightmare with enough backers and a boost to its latent Tor code.

More from

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Q&A with Valentina Palmiotti, aka chompie

4 min read - The Pwn2Own computer hacking contest has been around since 2007, and during that time, there has never been a female to score a full win — until now.This milestone was reached at Pwn2Own 2024 in Vancouver, where two women, Valentina Palmiotti and Emma Kirkpatrick, each secured full wins by exploiting kernel vulnerabilities in Microsoft Windows 11. Prior to this year, only Amy Burnett and Alisa Esage had competed in the contest's 17-year history, with Esage achieving a partial win in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today