It has been reported that a new banking Trojan belonging to the family of Zeus malware named as "flokibot" is spreading widely. The malware is believed to be the modified version of Zeus malware with enhanced capabilities of infecting Point of Sale (PoS) devices/terminals targeting Banking/financial information. The malware mainly targets the windows operating systems. The malware uses several propagation mechanisms which include spear phishing emails containing malicious attachments pretending to be POS/software updates, scanning and exploitation of vulnerabilities of remote administrative applications (remote desktop, AmmyyAdmin, Team Viewer, VNC), exploitation of weak or default credentials, physical access to POS machines for installing malware, compromising the machines providing remote support for POS installations etc.
The malware is capable of performing the following functionalities:
- Stealing online banking customer credentials
- Stealing payment card information such as the track 1, track 2 and CVV data from Point of sale systems by using Track2 grabber and keylogger.
- Capable of installing other malwares for better stealth and persistence mechanisms.
- Capable of defending against inline hooking.
- Uses different network Protocols to bypass Deep packet inspection tools monitoring.
- Make network connections and sends exfiltrated data to the Command and control server in batches to reduce network traffic.
- Regularly update its configuration files and dropper module/software.
- Capable of performing form grabbing and web injects to steal user credentials especially via internet explorer and Mozilla Firefox.
- Make stealthy injections in running processes and evade detections.
The malware is considered to be the modified version of Zeus 126.96.36.199 Trojan with modified dropper module for process injection. The malware has the capability of exfiltrating payment cards data from the memory regions of several windows processes.
Win.Trojan.Flokibot-2 [clamAV], Troj/Floki-A [Sophos],Trojan.Flokibot!gen1 [Symantec],TSPY_FLOKIBOT.A[TrendMicro], TSPY_FLOKIBOT.A [TrendMicro-HouseCall]
Indicators of Compromise:
File system Changes:
Pattern of file system changes is mentioned below:
- %All User%/ Application Data\\.exe
- %All User%/ Application Data\\.tmp
- %user%\Start Menu\Programs\Startup\.lnk
Some of the file system changes based on different malware samples are mentioned below:
- C:\Documents and Settings\All Users\Application Data\yplaax\ewnuhef.exe
- C:\Documents and Settings\All Users\Application Data\Nykyhi\roar.tmp
- C:\Documents and Settings\test user\Start Menu\Programs\Startup\ewnuhef.lnk
- C:\Documents and Settings\All Users\Application Data\orohq\cauwiw.exe
- C:\Documents and Settings\All Users\Application Data\Lyaxo\yhyc.tmp
- C:\Documents and Settings\test user\Start Menu\Programs\Startup\cauwiw.lnk
- Modifies cached Cookies settings.
- Modifies settings of Internet Zones.
- Make an entry for dropped executables.
Processes created for injection:
MD5 of the "Flokibot" malware:
Note: For complete list of malware IOCs, kindly refer to Arbor Network.
Some of the C2 servers used by FlokiBot are mentioned below:
- Keep all POS computers thoroughly updated including POS application software.
- Restrict access on POS systems to POS related activities only.
- Ensure the Networks where the POS systems reside are properly segmented from non payment network.
- Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
- Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
- Organizations and merchants providing POS services may Review all system logs for any strange or unexplained activity, especially
large data files being sent to unknown location.
- Not allowing administrative access to systems, with the exception of special administrative accounts for administrators
- Delete the system changes made by the malware such as files created/ registry entries /services etc.
- Monitor and block connections to the aforementioned servers. Proper Network Monitoring should be done with respect to baseline of
authorized and expected traffic.
- Locking out accounts after N number of incorrect login attempts
- Not allowing RDP login by default on systems, but rather, granting it on an as needed basis
- Limiting or eliminating the use of shared or group accounts
- Monitoring authentication logs for repetitive failed login attempts to one system or multiple systems.
- Maintain good security policy on the POS computers(including physical access).
- Disable AutoRun/ Autoplay.
- Do not configure the applications or systems with default passwords. Apply strict password policy.
- Install and scan anti-malware engines and keep then up-to-date
- Exercise caution while visiting links within emails received from untrusted users or unexpectedly received from trusted users.
- Do not download and open attachments in emails received from untrusted users or unexpectedly received from trusted users.
- Exercise caution while visiting links to web pages.Do not visit untrusted websites.
- Protect yourself against social engineering attacks.
- Enable firewall at desktop and gateway level.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003