Nearly 10 years ago, a nasty banking Trojan named Zeus wreaked havoc on various institutions through keystroke logging and form grabbing. Among the victims were customers of Bank of America, who had their financial information stolen. The FBI determined that countless computers worldwide had been infected, and a total of $70 million had been stolen by Eastern European crime rings utilizing the Trojan. As time has progressed, the Zeus source code has been used by black hat hackers to program new variations of this notorious malware. One such Zeus derivative, named Floki Bot, is currently seeing a surge in activity.
Two reports, released in tandem by Cisco Talos and Flashpoint researchers, details how the Floki Bot malware is a very hot commodity on the Dark Web. Floki Bot is named after a Brazilian threat actor with the handle “flokibot” who has been peddling the malicious software online to black hats. Floki Bot’s popularity, according to Flashpoint, is due in large part to its multilingual reach in various Dark Web communities. The principal languages of the users are Portuguese, English, and Russian, all languages that are spoken by a large portion of the global population (hence a large community of hackers).
Additionally, as stated by the Flashpoint report, the technical expertise required for Loki Bot is far less than the Zeus Trojan. As Vitali Kremez, the post’s author, writes, “The time required to attain a high level of skill and sophistication has been continuously reduced. As criminals share information to defeat protections, we should be sharing it as well with our community to defeat threats.” This also contributes significantly to the popularity of the malware as it is much more accessible to low-level hackers.
The usage of Floki Bot is similar to its predecessor in that financial gain is the main goal. The similarities end here, however, as the execution of Floki Bot and Zeus attacks differ. Whereas Zeus utilized spam campaigns, Floki Bot uses tactical spear phishing campaigns that show a much narrower target focus. The threat actors are being very methodical in choosing their targets, making the Floki Bot campaign far more effective. Additionally, unlike Zeus, Floki Bot has the ability to attack point-of-service systems, thus opening up entirely new avenues of cash grabbing.
According to the reports, Floki Bot is being used by at least 10 different “cyber-criminal gangs.” As Floki Bot is far more challenging to defeat than Zeus, it can be expected that this number will rise. Stay tuned for more details if any new breakthroughs occur in the rush to defeat this malware.
Photo credit: Flickr/Colin Brown