Floki Bot a Zeus based banking Trojan actively spreading in the wild

December 15, 2016

The SonicWALL Threats Research team observed reports of a new variant family of Floki [GAV: Floki.A] actively spreading in the wild.

The Floki bot is a banking Trojan based on Zeus that has been sold on cybercrime underground.

This time attackers implemented new feature such as DLL Injection into Explorer.exe to avoid detection by Anti-Virus programs.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%Application Data nyobubezral.exe

The Trojan adds the following Startup key to the Windows registry to ensure persistence upon reboot:

    • %Userprofile%Start MenuProgramsStartupubezral.lnk

Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Explorer.exe to collects information from target system.

Here is an example of the Malware injection:

Command and Control (C&C) Traffic

The Malware performs C&C communication over 80 ports. The malware contains features such as memory scrapping functions like popular Point-of-Sale Trojan BlackPOS and since now it's Christmas time, the best period for cyber criminals that attempt to steal credit card data.

The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Floki.A (Trojan)