Last week we took the 100,000 foot level view of the relatively new floki bot. This bot - allegedly modeled after Zeus 220.127.116.11 is selling in the underground marketplaces for around $1,000. The AlphaBay ad is in Figure 1.
Figure 1 - AlphaBay Ad for Floki Bot
Our sample came in from the wild so we only can assume that this is leaking out of the underground and we'll watch it closely. So far we have not seen an indication of a dedicated botnet associated with this bot but, as I said last week, it is clear that a proof of concept using an IP, probably for a command and control server, was conducted by the bot writer. He used that to show that the bot can bypass Trusteer in a demo video on-line. I don't expect that IP to become the C&C for the bot going forward. That will depend upon who buys the bot. As of this writing we have identified four unique samples of the bot, each with a different hash value so our assumption likely is correct.
This week we are taking a deep dive and answering the question we asked last week: is this new work with a Zeus heritage, or is it the work of a script kiddy repackaging Zeus into a new Zeus wannabe? For this I called on my favorite reverse engineer, Hasherezade, who took our sample, unpacked it and ran it through her ringer. Without being too much of a spoiler, I will tell you that this is no wannabe. We will need to be prepared for this one.
One of the writer's differentiators is that the packets don't look like Zeus because he uses a new protocol and he claims that deep packet inspection won't work. I am not so sure about that, actually. I placed the executable (detected by Windows Defender as a generic Trojan) and it was detected and removed by Cylance in under 15 seconds. Within a couple of minutes Windows defender had caught it in the Cylance quarantine and re-quarantined it. Analyzing the unpacked bot in Cuckoo, I found that it is recognized by quite a few anti-malware products, but they all see it as different malware. So, while your AM product may catch this, it is not guaranteed and you probably won't identify it exactly. At the end of this blog I'll give you some indicators that might help you. Sadly, this is too new to have a complete list.
When I detonated the executable on a sacrificial machine it went out to a number of IP addresses, some of them triggering the Avast anti-malware running on the machine. Admittedly, Avast did not quarantine or explicitly identify the Trojan however, so my conclusion is that the jury is still out on the author's claim of deep packet invincibility. We might say that it is fairly undetectable by deep packet analysis but next generation tools had no trouble with it and it won't be long before this will be detectable routinely if it starts to spread in the wild.
Last week I speculated that there may be a connection with the loki bot due to the demo video. Analysis of the strings show that while loki may have inspired the actor - which I now doubt - there is no discernible connection between the two. On the topic of Zeus, though, the connection is definite and paraphrasing Hasherezade: the author really based this on the Zeus bot - but also he has put in a lot of his own work. It is not a work of a script-kiddy who just made some small changes in the leaked code. The guy knows his art. She goes on: The Floki Bot has left some logs in the code and they show that the same function was being called that also exists in the Zeus code.
Now, how about some of the actor's claims - our reversing expert responds from her tests:
- Unpacking and decryption Payload occurs only in a zombie process (explorer.exe and svchost.exe). CONFIRMED
- After starting the bot during a zombie bot injects into all running 32-bit processes. CONFIRMED - However Hasherezade points out that this can lead to instability and performance hits - very true....
- Successful infection ratio 70%+. UNCONFIRMED
- All reports are written to the hard disk, and then sent when one query command from the control panel (automatically). CONFIRMED
- Graber dumps (Track 2 Grabber + keylogger for CVV). CONFIRMED
- Ring-3 Internet Rootkit Unhooker - bot will attempt to remove all embedded hooks by reading and displaying the original file and compare the bytes. CONFIRMED
Once installed, the bot will designate a directory randomly named for the bot and one for the encrypted data. They seem to be, generally, under the ProgramData directory and we saw several different names used for the directories and the bots/data. Examples are in Figures 2 and 3.
Figure 2 - Bot and Folder Location in Our Sample
Figure 3 - Encrypted Report and Folder Location in Our Sample
Note that these changed every time we ran our sample. We ran it multiple times in multiple environments. So the bottom line is that automating the finding of these two items is likely to be unreliable. Persistence is achieved very simply and here is another place for you to look - manually, unfortunately, since the bot name changes. The bot simply is called by the startup file. See Figure 4.
Figure 4 - Persistence Mechanism from Our Sample
Digging just a bit deeper, we find that the mechanism for searching and infecting other processes uses a known trick of adding memory pages and changing the context of the process. It also keeps some encrypted data in the Registry.
So, your bottom line is that this likely is in the wild and more likely will spread. Will it be the next Zeus banking Trojan? Hard to say at this point but you should be ready for it. Here are a few simple indicators. However, note that there are not enough samples in the wild yet to focus on such things as C&C IPs and hashes reliably.
- Our sample showed, on reversing, in the RCD section BOT32 : 0 and BOT64 : 0.
- There are subdirectories containing files with randomly-generated names (both the files and the subdirectories) and they likely reside under ProgramData. That is not a slam-dunk, though, since other malware do the same thing and by the time the bot writer reads this it likely will change.
- It will be caught by several - not all - antimalware programs but there is no consistency in the naming and we did not see any yet identified as flokibot. One was identified as ZBot, however.
- The bot - named using random characters - will show up in the startup file.
So, based upon the analysis from last week and the fine work reversing the bot by Hasherezade my conclusion is that this is a Zeus variant - in the family - but is by no means a script kiddy's work and absolutely not a Zeus wannabe. This is one we will need to watch out for.
I especially want to thank Hasherezade for her work on this analysis. She is an example of my philosophy of, if you can find someone who can do something better than you can, let them do it. She fits that description perfectly. Her web site is https://hshrzd.wordpress.com/ and she can be found frequently in the blog at Malwarebytes. I hope to see her back here the next time we dissect a piece of malware.
Our tools this week were mostly the reversing tools used by Hasherezade plus:
- Niksun NetDetector
- OpenDNS Investigate
- AlienVault OTX
Figure 5 - Top Command and Control Servers Hitting Our Honeynet as Detected by Packetsled
Figure 6 - Top Attackers Hitting Our Honeynet as Detected by Packetsled
Top types of attacks against our honeynet as detected by our Niksun NetDetector: Botnet-like behavior, Non-SSL Traffic on Standard SSL Port, and Non-HTTP Traffic on Standard HTTP Port.
And here are your new malicious domains courtesy of Malware Domain List.
Figure 7 - Malicious Domains for the Week
 Hasherezade reversing - screen captures are in our archives.