Flokibot Banking Malware: India on AlertAfter WannaCry, Security Experts Preview Potential Threat to Finance Sector
Because India was hit hard by the WannaCry ransomware campaign, security experts are warning financial institutions to prepare for other malware attacks, including those that use Flokibot, aka Floki Bot. The Trojan virus, which targets point-of-sale devices and is available for $1,000 on underground hacker forums, has already led to payment card breaches, especially in the United States, Canada and Brazil.
Back in February, the Indian Computer Emergency Response Team, CERT-In, issued an alert about Flokibot, which is a modified version of the Zeus banking Trojan. "The malware has the capability of exfiltrating payment cards data from the memory regions of several Windows processes," CERT-In said.
Although there have been no reports of Flokibot infections in India, experts say it's highly likely that the malware is already infecting POS devices across the nation. "We may not have seen highly publicized issues of the Flokibot malware breaches, but it would be naive to pretend that they do not exist in India," says C.N. Shashidhar, founder and CEO at security advisory firm SecuriT Consultancy Services LLP.
"There is no compulsory public disclosure requirements on banking and financial institutions," he adds. "It may be widespread for all we know and is probably being 'brushed under the carpet' as are most other security incidents in India."
How Does Flokibot Work?
Flokibot, discovered in September 2016, is based on Zeus source code version 18.104.22.168, which was released in 2011.
"Unlike Zeus, Flokibot is distributed via spear-phishing emails and uses macros to attempt to evade traditional anti-virus defenses," says Sachin Raste, senior research analyst at eScan, an internet security company. "The added functionality of scraping the PoS terminals makes it more dangerous than other info-stealer Trojans."
To be successful, however, attackers would have to infect an endpoint connected to a network to which POS terminals are also connected.
Flokibot has the ability to read track 2 credit card data that includes payment card number and encrypted PIN. Once executed, it attempts to infect the Windows Program Manager, named explore.exe, Shashidhar says. If that fails, it targets svchost.exe, the Windows Service Host, which is a system process that hosts multiple services. Shashidhar says the malware is designed to obfuscate what it's doing in an attempt to confound security researchers and digital forensic investigators.
The malware "scans and exploits vulnerabilities of remote administrative applications, default credentials, etc." says Sharad N. Sadadekar, CISO and vice president at HDFC Life. "Nevertheless, cybercriminals mostly use [the] spear-phishing mechanism for Floki payload delivery."
That mechanism involves attackers sending weaponized Microsoft documents - containing macro code - to victims as email attachments, Sadadekar says. If users have Microsoft Office macros enabled - they are disabled by default, as a security measure - or if the document successfully tricks them into enabling macros, then the macro code will "phone home" and retrieve Flokibot code from the attacker's server, and execute the malware (see Hello! Can You Please Enable Macros?).
Indian Banks Vulnerable
Indian financial institutions are especially vulnerable to Flokibot and other malware because many lack basic security hygiene, including patching software and applying countermeasures to prevent breaches, some security experts say.
Banks in India have added about 11 lakh point-of-sale machines since last November as part of the effort to boost cashless transactions. But some of these machines lack sufficient security safeguards.
"While the financial institutions are taking a number of steps to safeguard their IT infrastructure, they continue to be challenged by the pace of innovation and rising sophistication of attacks," Sadadekar says. "Though traditionally phishing has been common, attackers are now launching new attacks with sophisticated strategies and Indian industry is trying hard to keep pace with it."
More financial institutions need to build cyber risk management programs so they can be more secure, vigilant, resilient and implement best practices and controls, security specialists advise.
"Attackers are nowadays updating and upgrading their knowledge about vulnerable organizations," Raste says. "Therefore, perimeter security shouldn't be limited to end-points within the banking sector, but also to third-party organizations and systems which handle or are a part of the banking sector."
Sadadekar calls on financial institutions to take a defense-in-depth approach. "This involves a number of mutually reinforcing security layers both to provide redundancy and potentially slow down the progression of attacks, if not prevent them," he says.