SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Floki Bot a Zeus based banking Trojan actively spreading in the wild (Dec 15, 2016)


The SonicWALL Threats Research team observed reports of a new variant family of Floki [GAV: Floki.A] actively spreading in the wild.

The Floki bot is a banking Trojan based on Zeus that has been sold on cybercrime underground.

This time attackers implemented new feature such as DLL Injection into Explorer.exe to avoid detection by Anti-Virus programs.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%\Application Data\ nyob\ubezral.exe

The Trojan adds the following Startup key to the Windows registry to ensure persistence upon reboot:

    • %Userprofile%\Start Menu\Programs\Startup\ubezral.lnk

Once the computer is compromised, the malware copies its own executable file to %Userprofile%\Local Settings\Application Data\ folder With Random name and then injects Explorer.exe to collects information from target system.

Here is an example of the Malware injection:

Command and Control (C&C) Traffic

The Malware performs C&C communication over 80 ports. The malware contains features such as memory scrapping functions like popular Point-of-Sale Trojan BlackPOS and since now it's Christmas time, the best period for cyber criminals that attempt to steal credit card data.

The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Floki.A (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.6 | S2MSW01