Flokibot's C&C Servers Start Working for New Data-Stealing LockPOS Malware
The Flokibot banking Trojan made its debut back in October 2016 when its authors started selling it on the Dark Web for about $1,000. The security experts got their hands on a few samples, and they quickly realized that it was based on one of the most famous names in the financial malware industry – Zeus. Quite a lot of the code was identical, and Flokibot also incorporated pretty much the same rudimentary DDoS mechanism which was supposedly used to distract the banks while the crooks steal the victims' money. There were some differences, though.
The code obfuscation techniques were not the same, and Flokibot also came with a feature that Zeus never had. Flokibot had the ability to scrape the victim computer's memory and look for credit card information which meant that it was capable of stealing cards from Point-of-Sale (POS) machines. Sure enough, in late January, Arbor Networks observed Flokibot using the said feature.
The experts suspected that at least some of the incidents they investigated weren't genuine attacks but rather tests performed by the crooks. Nevertheless, they were quite sure that Flokibot is indeed capable of stealing sensitive data from POS machines.
Then, the malware suddenly went quiet. Distribution stopped, and some of the Command and Control (C&C) infrastructure went down. Despite this, Arbor Networks continued monitoring the activity and waited for a potential comeback. In June, one of the servers sprang back to life. It wasn't serving the Flokibot Trojan, though. It was helping a new piece of POS malware called LockPOS.
The C&C, as well as a few other Indicators of Compromise (IOCs), are shared between the two families which is why the experts are pretty sure that Flokibot and LockPOS were created by the same group of threat actors. It would appear, however, that the crooks are no longer interested in regular computer users and are now targeting only POS systems.
The infection chain starts with a dropper which needs to be manually executed. It extracts and runs an executable file which injects a number of components into explorer.exe. These act as the second stage loader and extract the LockPOS payload, injecting it into the same process.
When the installation is complete, the malware sends a phone home HTTP request to the C&C server while a modification to the Run registry key ensures that LockPOS runs everytime Windows boots up. The request is notable for the "lock" User-Agent which could tip-off administrators looking through the network traffic.
The trouble is, by the time a sysadmin figures out what's going on, it could be too late. As soon as the connection to the server is established, LockPOS immediately starts scraping through the memory of running processes and looks for Track 2 data – the interpretation of credit card details handled by computers. The stolen information is then placed in another HTTP request and is sent to the C&C.
This is pretty much what all POS malware strains do. LockPOS' authors didn't reinvent the wheel with some new and highly advanced techniques. As Arbor Networks' researchers pointed out, however, the lack of sophistication doesn't mean that the malware is less dangerous.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.