Reports are afloat about a POS malware named Floki Bot, a banking Trojan that’s based on Zeus, which is evolving fast in the cybercrime underground.
The Floki Bot malware, as per reports, has been developed starting from the Zeus code that was leaked five years ago, in 2011, and is recently on sale on various darknet markets. Origins of this virus have reportedly been traced to Brazil and it’s reported that this POS malware has already targeted many U.S., Canadian and Brazilian banks, and insurance firms.
The Floki Bot malware is gaining popularity among cybercriminals all the world over especially since it has some capabilities that are uncommon to typical Zeus variants. These include-
DDoS Attacks – Zeus-based malware usually don’t have this capability. This POS malware, however, can use connected devices such as POS terminals to launch a DDoS attack once it has gained access to a network.
POS memory scraping – Unlike other Zeus-based malware, this POS malware, the Floki Bot malware, does POS memory scraping as well.
TOR configuration – This POS malware can be configured with TOR-based command and control URLs—.onion sites.
How to combat the FlokiBot Malware
There are some real good cyber security measures that could help organizations combat this POS malware. These include-
PCI compliance – Compliance with the PCI DSS requirements is always good, from the cyber security point of view. This could help a lot in combating Floki Bot.
Audit, restrict remote access connectivity – It’s important to carefully audit as well as restrict remote access connectivity. This helps greatly in reducing network attack surface.
Proper vigilance – Proper vigilance is key to fighting all kinds of malware. Test and then run in an aggressive mode anti-malware applications, on all POS machines. For Windows based POS machines, it’s always recommendable to deploy EMET ( Enhanced Mitigation Experience Toolkit) when possible and it is to be tuned to include all aspects of the OS and the 3rd party software.
Keep POS systems separate from the rest of the network – Keeping POS systems separate from the rest of the network, with only enough inbound and outbound connectivity allowed to facilitate core functionality, is very important. It’s to be ensured that POS machines or back-end infrastructure is not at all accessible via an unaudited wireless network.
Have dedicated machines for POS software – The machine(s) running the POS software should be dedicated for that and, prior to deployment, should be hardened to restrict open ports. Application use should be restricted, allowing only those that are required for POS purposes.
Proper investigation of TOR traffic – If TOR traffic is seen on the network, it’s always to be properly investigated especially for the detecting malware presence.
Also recommended are basic POS cyber security measures like using a firewall, enforcing password policy, disabling AutoPlay to prevent the automatic launching of executable files on network and removable drives and disconnecting drives when not required, turning off file sharing when not needed, turning off or removing services that are not necessary, keeping software patch levels up-to-date, isolating compromised systems promptly etc.