Floki
Posted: November 17, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 9/10 |
|---|---|
| Infected PCs: | 30 |
| First Seen: | November 17, 2016 |
|---|---|
| Last Seen: | February 18, 2022 |
| OS(es) Affected: | Windows |
Floki is a fork of the Keylogger Zeus project that can commit similar attacks, such as monitoring your Web-browsing behavior to collect information. Although its payload's goals are identical to its recent ancestor's, Floki includes some additional features meant to thwart AV security heuristics. Keep your anti-malware products as updated as possible to minimize the efficacy of this threat's evasive methods and remove Floki before it collects any data.
The Sneaky, Young Child of Zeus
Just as Zeus was known as being a highly fecund deity, its threat-equivalent namesake, Keylogger Zeus, has a family of offspring sharing many traits in common with it. Floki was caught while still in the middle of its early development and lacks complete functionality or any confirmed cases of its distribution to intended targets. However, victims can expect it to include similar attacks to the Keylogger Zeus, focusing on monitoring your Web browser passively, intercepting data, and collecting such essential information as passwords and login names.
Floki, or Floki Bot, is being offered on a Bitcoin rental basis to other threat actors, who can deploy the spyware in whatever fashion they deem suitable. It's Trojan dropper or installer, uses a system32 DLL-enumerating feature for loading the intended functions and modules, with the latter including dependencies that stop them from running as separate applications. Malware experts didn't see any complete code decryption taking place until after Floki injected itself into the Windows Explorer process.
Floki also includes other defenses not found in the vanilla versions of the Keylogger Zeus, such as an 'unhooking' function meant to block attempts at monitoring corrupted memory processes. Many of these techniques also are applied inconsistently throughout Floki's code, which means that the spyware could become even more of a challenge to detect, with extra development work from its threat actors.
Banishing the Mischief of Zeus from Your Browser
Floki is a Windows-centric threat that has a theoretical capacity for collecting massive amounts of information while no apparent attacks are on display for the benefit of the victim. Since most of its updates are 'under the hood' improvements, PC owners should update their anti-malware protection, rather than looking for new symptoms. Business systems also may be at more risk than previously, thanks to Floki's inclusion of a new credit card targeting function that may help the threat double as a POS Trojan.
While Floki is a work in progress, the past month has experienced significant traceable activity regarding its Web infrastructure. People renting Floki at the cost of their Bitcoins may use unpredictable methods of introducing the spyware to new PCs. Anti-malware products with passive PC-monitoring protection may stop Floki and delete its installer without giving it an opportunity for carrying off your information.
As of the past few weeks, Zeus has fallen off the headlines of many cyber security websites. The existence of Floki does indicate that PC owners may not have seen the last of this god of spyware.