Floki Bot Up for grabs on Alpha Bay
Zeus – a malware first identified in 2007, made numerous headlines for consistent hacks and data breaches it created. However, a recent press release from two reputable security firms, Flashpoint and Talos, is making many people worried – the Zeus malware may have evolved into something conceivably more dangerous.
Called Floki Bot, this Zeus variant has been trending from as early as September 2016, and this Trojan horse malware can be sourced from darknet markets such as Alpha Bay for about $1,000.
According to Andrew Jaquith, a security researcher with Yankee Group – the malware has capabilities that enable it to avoid detections by antivirus software and can slip through enterprises’ defenses unnoticed.
Though Floki Bot source code has many similarities to Zeus, it has several modifications that make it more potent for many computer networks.
This malware listed on Alpha Bay uses a unique dropper method to execute payloads and also has a different network protocol from Zeus to enable it to avoid internet traffic detection method through Deep Packet Inspection.
The most worrisome feature according to many security analysts is that this malware that is being sold on Alpha Bay comprises a unique method that can be used to execute credit card thefts.
Further worries are that the malware creators made it have a perfect PoS targeting market and advertised it accordingly – meaning that it can be easily accessed by hackers to carry out and spread the harms the malware is intended for.
Floki Bot, which is available on Alpha Bay, works on Windows Vista, Windows XP, and UAC-based Windows.
Additionally, it is supported in servers such as 2008/2008R2 and 2003/2003R2. The bots code runs on every process a user executes, and the ones that need almost no privileges to access – meaning that the malware can run in Guest account, which for safety reasons should not always be left running.
Besides, it has several processes that enable to bypass computer and network firewalls, and this feature means the victim’s configuration can be sent to the server so that an operator can create commands to hack or breach the victim.
Though the malware communicates through the HTTP protocol, its communication path is encrypted with keys that are unique to instances created by the bot.
HTTP injection enables modification of loaded pages on the victim’s side, and through the approach, Floki Bot can scrape through the screen for useful data such as bank accounts and other important credentials.
There are also several blocking functions that apply to the bot, and these include a sniffer and a keyboard grabber.
The bot can import Windows certificates installed on a victim’s network. Anytime the targeted payload is dropped, it undergoes encryption and stays encrypted until the dropper process creates a function in svchost or explorer.
At this moment, the entire payload gets to be totally unencrypted, decompressed and injected to execute on all the running 32-bit processes.
After all these processes, the payload can then be unpacked and decompressed to execute. The malware also renames itself and makes a copy of its code in a subdirectory under the Application Data.
Any of the stolen data gets new encryption, and are stored in a different directory that falls under the Application Data.
There are also several changes that are made to the victim’s computer and network registry, and these are intended to alter the victim’s security and make it more vulnerable.
The most amusing reason why this malware has been trending high on the darknet markets such as Alpha Bay is its perceived execution rate.
Zeus only had 30%, and Floki Bot is twice as much potent with a high execution rate of 70%, and a rare ability to decrypt track 2 part of a credit card.
The presence of this malware on Alpha Bay means its security breach intentions can be felt right from individuals, financial institutions, and the overall transactions done on the web.