Security researchers have made an in-depth analysis of the Floki bot malware that is based on leaked Zeus code. Continue reading to find out the capabilities of the bot.
The Floki Bot is capable of Dealing Damage
The Floki Bot is a popular bot that has been advertised in underground hacker markets that is known to be based on the famous Zeus bot (specifically version 188.8.131.52). The first instances of the malware have been reported in September this year.
According to an independent analysis the bot cannot be detected by a deep packet inspection. Several samples were picked and placed in a sandbox setup. The prepared filters and measures were not able to identify any network connections to known malware hosts, in other words it failed deep packet inspections. The bot communicates with several IP addresses most of which carry Trojans and ransomware of various flavors and types. Around half of the anti-malware vendors report the Floki Bot as a dangerous program. This means that not every software can protect users from it.
Another instance of the bot was found to be able to succesfuly bypass IBM’s Trusteer Rapport. The researchers traced the network activity to a German IPS. A detailed analysis showed that there were numerous IP addresses that are connected with Floki bot that host various pieces of malware. Some of them include the following:
The bot also has used various registrant email account that are associated with a lot of attack campaigns. There is some evidence that there may be an indirect C&C communication channel that is used in the botnet distribution. The security experts explain that this is intentional – the buyers of the bot need to set up their own botnet infrastructure.
Capabilities of The Floki Bot
The bot works on the most popular versions of the Microsoft Windows operating system – XP, Vista and Windows 7 with User Access Control, as well as Server 2003/2003R2 and 2008/2008R2.
The Floki bot spawns its own process and requires no privilege escalations as it creates its own instance in a guest account. Several process are initiated which remove some of the most important security measures, namely the firewall. These actions allow the remote attackers to execute commands at will on the host victims.
The interesting feature is that the HTTP protocol is used with an encryption key that is unique to each instance. There is a back-connect feature that allows backup connections to be set via protocols such as RDP and FTP.
Floki bot is able to make HTTP injection attacks that modify the loaded web browsers. The criminal developers have also included a screen scraping feature that can download information from private sessions to sensitive sites such as online bank accounts, emails and etc. The bot has an advanced sniffer and a keystroke registration option. Floki can also import the Windows certificates, allows scripts that can be run from its control panel and the code can be safely removed remotely by the attackers at will.
The Floki bot can delivery a variety of payloads. The bot inject them into system processes such as explorer or svchost. The payload is unencrypted as it is stored in an encrypted form to avoid detection. The final payload transformation is to decompress and initiate the malicious executable code. When that is complete the bot renames itself and copies itself to a subdirectory in the Application Data location. In the sample infections it renames itself as dymasa.exe
The affected user data which is stolen by the hackers is placed in an encrypted archive and stored in a different folder in Application Data. Persistence is attained through the creation of a startup entry. The Floki also does intenstive registry changes to the Windows Registry.
Two interesting facts about the bot is that it claims a high execution rate (70% as opposed to 30% for Zeus) and that it is able to read track 2 of a payment card. This makes it a useful tool for credit card stealing.