Progeny of the venerable Zeus banking Trojan live on. That's thanks, in part, to the source code for Zeus leaking via underground forums in 2011. Since then, enterprising developers have continued to refine the banking Trojan to help them steal online banking customers' credentials as well as to infect point-of-sale devices and harvest payment card details.
But security experts say the vast majority of today's POS-infecting banking Trojans are almost functionally identical. In that way - to echo security expert Joshua Corman discussing Anonymous - these banking Trojans' continuing success also holds a mirror to our collective cybersecurity neglect.
"Some examples of common tactics include scanning for remotely accessible administrative servers ..."
The latest example of this phenomenon arrives in the form of Floki Bot - aka flokibot - malware, which first appeared for sale on darknet forums in September 2016 for $1,000 in bitcoins, via a Brazilian actor who uses the pseudonym 'flokibot,'" Vitali Kremez, a senior analyst in cybercrime intelligence for threat intelligence firm Flashpoint, says in a Dec. 7, 2016, blog post. Flokibot appears to be acting as a "connector," meaning someone who sells their wares via different cybercrime communities, he says. In this case, flokibot is also marketing the malware to English-speaking and Russian-speaking cybercriminals.
Some security experts have reported that the flokibot malware is based on version 126.96.36.199 of the Zeus source code. "With the leaked ZeuS source code and the multiplication of tutorials and other learning materials in cybercrime communities, the time required to attain a high level of skill and sophistication has been continuously reduced," Kremez says.
As befits five-year-old source code, flokibot's creator has modified Zeus in several important ways, including adding a redesigned, stealth dropper - software that is used to install further malicious code on a compromised system - that's designed to evade anti-virus scans.
"Flokibot claims this dropper has a 70 percent execution success rate," say Flashpoint analysts Kremez and Olivia Rowley. "By contrast, flokibot asserts that ZeuS 188.8.131.52's execution rate was only 30 percent."
Inline Hooking Defense
Flokibot's dropper employs an unusual technique to prevent anti-virus software from arresting its activities by blocking API calls, which is how different software components interact. "Many programs detect malicious activity by monitoring API calls that are most often misused by malware," and will also trace how these API calls are being hooked - referring to how they're adjusting operating system functionality - according to an analysis from the independent security researcher known as Hasherezade.
Some security tools use inline hooking - intercepting API calls believed to tie to malicious activity - to block malware. As a defense against this, the flokibot malware continuously compares the DLL - dynamic link library - files that it requires "with their raw versions, read from the disk by the dropper," Hasherezade says. "If any anomaly is detected, the dropper overwrites the mapped DLL by the code copied from its raw version," thus foiling inline hooking defenses.
Flokibot also claims to have a different network protocol than Zeus to help fool deep packet inspection tools. That protocol is based on Tor, according to researchers from Cisco's Talos threat-intelligence group, who have also published related indicators of compromise. But they say that this functionality doesn't yet appear to be active.
Malware Batches Stolen Data
According to a flokibot advertisement reproduced by Flashpoint, once the malware infects a system, it stores compromised data to the local hard drive, then transfers it in batches to cut down on server traffic as well as to provide a backup in case the system gets rebooted. The malware is also designed to regularly update its configuration file and dropper software using MD5-encrypted communications with the command-and-control server.
The malware is designed to remain resident in memory on infected devices as well as to grab track 2 data from payment cards, which includes the payment card number and encrypted PIN, according to a technical teardown published by Flashpoint.
The malware includes additional, typical banking Trojan capabilities, such as a formgrabber - designed to intercept user IDs and passwords for websites - as well as webinjects, which can display real-looking but fake versions of banking websites, enabling attackers to not only intercept users' credentials, but also hide malevolent activity, such as draining bank accounts. As of October 2016, flokibot's developer said formgrabber and webinject capabilities were available for victims who used Internet Explorer and Mozilla Firefox, but not yet for Google Chrome browser users.
Finally, the malware also includes some distributed denial-of-service attack capabilities - including the ability to launch a UDP flood, TCP connection flood and HTTP GET flood - says Dennis Schwarz, a research analyst at DDoS defense provider Arbor Networks. "While other Zeus variants have included DDoS functionality- most notably Zeus Gameover - it is not a common feature" (see Lessons from Gameover Zeus Takedown).
Flokibot Targets Remote-Access Servers
Based on an analysis of recent flokibot attack campaigns that target Brazilian victims, however, attackers continue to employ well-known techniques to identify and exploit victims.
"Some examples of common tactics include scanning for remotely accessible administrative servers - such as Remote Desktop, Ammyy Admin, Team Viewer, VNC, etc. - the abuse of weak or default credentials, the delivery of malware-laden spear-phish to selected targets posing as POS or other software updates, the compromise of vendors offering remote support to POS installations in the field, and physical access to POS machines in order to install malware and perform other tactics, such as indirect lateral movement through partner organizations to reach a target," Curt Wilson, a senior threat intelligence analyst at Arbor Networks, says in a Jan. 30 blog post.
Redux: Malware-Defense Basics
Blocking these common attack vectors, as well as watching for "unusual network connections and data exfiltration" from POS systems, or any other machines or network segments that touch these systems, are essential steps, Wilson says. Any indications of data exfiltration or unusual network connections "should also be cause for alarm that triggers an immediate investigation and corresponding incident response process," he adds.
But this is long-standing advice when it comes to battling any type of breach, not just malware attacks that target payment card data. Why don't more organizations have these types of defenses in place?