In September 2016, a user identifying themselves as flokibot advertised some new malware for the Windows operating system named Floki Bot. The malware was based on ZeuS 1 but with a new and improved dropper. Available for a low price of only $1,000 USD, the malware has evolved rapidly since incorporating new antidetection features, it is also expected to implement TOR connectivity soon.
As a response to this threat, Visa has published a security alert for Issuers, Acquirers, Processors, and Merchants warning of the malware’s recent spread (primarily in South America) and targeting of credit card Track 2 data (which is the sensitive data that comes from a credit card’s magnetic stripe). The malware has successfully compromised and exfiltrated card data already.
The initial infection vector is usually spear phishing attacks, where victims are enticed to enable malicious macros in Microsoft Word documents that are sent as email attachments.
Visa’s security alert included some advice to protect against spear phishing:
- Educate employees about avoiding phishing scams and safely opening emails with attachments.
- Maintain a patch management program and update all software and hardware firmware to most current release, which limits the attack surface for zero-day vulnerabilities.
- Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior.
- Monitor for endpoints running TCP 9050 and monitor outbound network traffic communicating with known Tor exit node IP addresses.
- Perform file integrity monitoring and alert on changes to explore.exe and svchost.exe processes on endpoints.
- Monitor network traffic using a proxy.
In addition to their advice, it would be prudent to review and understand additional controls around the execution of Microsoft Word macros. Microsoft has some advice for Office 2016 here.
While some of this advice is focused on the Floki Bot threat, much of it is just part of what we at Online see as an effective information security program. For assistance building your defenses against Floki Bot (or the next Floki Bot-like threat!) ask us about our Gap Analysis and Compliance Roadmap review of your environment.
Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.
For more information:
Arbor Networks has published an observed description of the compromise.
Arbor Networks has published a list of IOC (indicators of compromise) for Floki Bot.
In October 2016, Vitali Kremez of Flashpoint published a great summary of Floki Bot.