SecurityBrief Asia logo
Asia's leading source of cybersecurity and cyber-attack news
Story image

Flokibot Point of Sale credit card theft on the rise

Thu 2 Feb 2017
FYI, this story is more than a year old

Threat actors salivate at the thought of an increased volume of credit and debit card transactions flowing through endpoints they have compromised with card-stealing malware. While there are many distinct malware families that scrape unencrypted process memory to obtain cards, some of these malware capabilities overlap with generic information stealing trojans such as Flokibot that obtain and exfiltrate HTTPS GET and POST data and other materials from compromised machines.

Rather than focusing on the Flokibot malware itself, which has already been profiled by ASERT and others, we have profiled selected elements of three Flokibot compromises in order to provide increased awareness of risk factors and actor TTP’s. The first compromise profiled is particularly interesting because it likely involves a threat actor participating in a card trafficking operation. 

Targeting and Data Exfiltration

Recently, ASERT researchers observed FlokiBot activity emanating from numerous compromised Point of Sale systems and other machines of interest. The two FlokiBot campaigns observed may have focused on a narrow set of targets, based on the smaller number of compromised machines comprising each botnet.

In the first case, 25 compromised machines were involved and in the second, there were 43. The low number implies a more specific targeting scheme than a general-purpose malvertising or commodity exploit kit delivery mechanism. The less widespread the malware, the greater the chances for reduced detection and attention from security researchers and a potentially slower response from law enforcement and the security industry.

FlokiBot exfiltrates data to a Command & Control server, where a folder is created for each compromised machine using the uppercase machine name followed by an underscore and a sixteen character uppercase Bot ID value generated by the Core::_generateBotId function. Exfiltrated data is stored inside each folder in a file named reports.txt. This naming scheme is standard practice for the Zeus Trojan, which Flokibot is based upon.

A sanitized example of a reports.txt entry displayed above shows us the data that the threat actors have access to. In the screenshot above, a VISA card has been exfiltrated and displayed in the Track 2 field. The process_name field reveals the name of the process from which the card data was exfiltrated.

Brazilian Compromise Observations

One particular FlokiBot campaign (oriented around a specific C2) tracked by ASERT focused on Brazilian targets. This included several PoS machines and other systems involved in card processing. Flokibot targeting Brazil is not new, and has been previously profiled by Flashpoint Intel who revealed that the author of the malware, an actor known as “flokibot”, is likely a Brazilian “connector” who has engaged other online crime communities in various languages.

Compromise Observation #1: Compromise of System Creating Credit Cards

The compromised system in observation #1 was a Windows 7, SP1 machine. The language_id of the machine is 1064 (Portuguese).

Based on analysis of the report file, there were 268 unique instances of track 2 data exfiltrated from the system. These included 179 instances of Mastercard, 86 instances of Visa cards, and three cards classified as “Amex, Diners, JP”. The timeline of the data exfiltration was from 9/25/2016 – 10/2/2016 for a total of eight days.

This system featured client installations of TeamViewer and the Ammyy Admin applications. These applications are used to perform remote administration. Vulnerabilities in remote administration mechanisms continue to be abused by threat actors targeting Point of Sale and other systems.

The flow of card data through the compromised system is more easily understood by a timeline infographic showing the processes and movement of card data. It is helpful to remember that Flokibot injects itself into explorer.exe when looking at the infographic.

In this instance, Flokibot discovered card data present inside memory regions of several Windows processes, including:

  • MSR606.exe
  • InternetExplorer.exe
  • Explorer.exe
  • DecryptTracks.exe

DecryptTracks.exe was stored in a folder named “virus novo bomba\Decrypter” and is possibly a utility to decrypt track information. Based on insight derived from carding forums, card data obtained via a PoS skimmer dump file is typically encrypted with the key known only to the seller, so this may be a utility to decrypt dumps. “Virus novo bomba” translated from Portuguese to English means “new virus bomb”.

The naming scheme for the DecryptTracks.exe binary seems somewhat suspicious for a legitimate system and, combined with further evidence presented below, suggest that actors deploying FlokiBot may have compromised someone involved in the illicit business of making physical credit cards from encrypted track data.

Another possibility is that a threat actor compromised themselves with their own malware for testing purposes and forgot to disable the malware (an amusing possibility). Another aspect of this exfiltration that suggests the compromised system is not a legitimate PoS installation is the absence of any process associated with a Point of Sale application.

Further support for this hypothesis can be made by observing the exfiltration timeline discussed previously.

The MSR606.exe process was likely developed by a company called Postech, operating from China. The MSR606.exe application is a “MagCard Write/Read Utility Program”, written in Delphi. Underground carding forum chatter suggests the MSR-606 hardware is very popular. 

The MSR606 series is designed to read and/or write high or low coercivity magnetic cards. It can encode and verify up to 3 tracks of data simultaneously. It communicates with a host computer or other terminal using a usb interface.

The MSR-606 hardware can be purchased easily and is readily available online. 

We observed through the exfiltrated report file that some of the card data was entered via keyboard into the MSR606.exe application, as the track 2 data in such transactions was obtained via Flokibot’s keylogger functionality and appeared in the Keylogger field inside the exfiltration report. It is possible that pasting card data into MSR606.exe resulted in that data being obtained by the keylogger.

While legitimate use of MSR606.exe is a possibility, the creation of numerous cards with different BINs via the MSR606.exe application is suspicious.

This same card data obtained via the keylogger functionality from the MSR606.exe process was also obtained in clear-text form from the process memory of explorer.exe, SGCRA.exe and InternetExplorer.exe.

The SGCRA.exe process and the InternetExplorer.exe process appear to be other malware – most likely FighterPOS. For example, see MD5 hash daaa0d3511e23b265bf88e3a036e7e9a for a sample that uses the filename of InternetExplorer.exe AND the filename of SGCRA.exe.

The sample in question is often detected as FighterPOS or Punkey POS, but contains strings indicating the malware may actually be known as FlokiIntruder. A quick check of the ASERT malware repository shows several different malware families using the filename InternetExplorer.exe, including NewPOSThings and FighterPOS. The filename SGCRA.exe was used six times by malware tagged as FighterPOS.

Based on the BIN numbers of the exfiltrated cards, the countries most targeted were as follows:

Compromise Observation #2: Windows 7 Machine

The compromised system in observation #2 was also a Windows 7, SP1 machine. The language_id of the machine is 1064 (Portuguese).

Based on analysis of the report file, there were 167 unique instances of track 2 data exfiltrated from the system at the time of analysis. These included 94 instances of Mastercard, 68 instances of Visa cards, and 5 cards classified as “Amex, Diners, JP”.

Nearly all of the card data from this machine was exfiltrated from explorer.exe, with a very small number discovered from an instance of the FighterPoS/FlokiIntruder malware running at AppData\Roaming\Microsoft\InternetExplorer.exe. No card data, or anything else, was exfiltrated via the keylogger mechanism in this case. Despite the presence of card data, there was no obvious presence of a Point of Sale application running, based on the report.

The malware in this case exfiltrated the presence of its own exfiltration process when encrypted/encoded credit cards were POSTed. This exfiltration took place from a process_name of C:\Windows\explorer.exe with a path_source value of https://shhtunnel[.]at/class/gate.php.

In the leaked source code for Zeus, we observe that the path_source variable is used to display a URL access by a process as well as to display the type of credit card obtained from memory. In this case, explorer.exe (injected with Flokibot) was accessing gate.php on the Flokibot C2 server. In other cases, path_source will contain “Visa”, “Mastercard”, or “Amex, Dinners, JP”.

Compromise Observation #3: Linx Autosystem Installation

This was also a Windows 7, X64 SP1 system using the Portuguese language. The card processing binary was c:\autosystem\paf.exe. This system contained an eCommerce package called Linx Autosystem made by a company named LZT Sistemas out of Brazil. The website for Linx [] indicates a wide customer base (translated to English from Portuguese)

This exfiltration report featured both keylogger and Track 2 findings. The exfiltration took place between 10/27/2016 and 11/22/2016, and during that time period, 290 credit cards were stolen. Of these, 147 were VISA cards, 123 Mastercard, and 20 were Amex, Diners, or JP.

C2 Links to Kronos, other Flokibot Campaigns

The C2 for the three observations previously described was shhtunnel[.]at, which resolved to during the time of analysis. The IP address history of the domain is as follows:

IP Dates

  • 8/4/2016 – 8/25/2016
  • 10/11/2016 – 10/11/2016
  • 10/13/2016 – 10/30/2016
  • 10/31/2016 – present

Registration on the domain was associated with the name “Karl Marx” with an email address of sprobot[@] This email address was used to register several other domains of interest.

Domain Malware Activity

  • Springlove[.]at Kronos banking Trojan
  • Springlovee[.]at Flokibot version 13
  • Sshtunnel[.]at Kronos banking Trojan, also possible ransomware activity
  • Treasurehunter[.]at Flokibot v13 as of 2016-12-13 and possible RealPoS malware

The IP address 128.199.209[.]15 is associated with Digital Ocean.

AS          | IP                           | CC | Name 133165   |       | GB | DIGITALOCEAN-AS-AP Digital Ocean, Inc., SG

The IP address was also used by the following domains:

  • Domain Malware Activity
  • Pegadorde[.]info FighterPoS malware
  • www.androidupdate[.]online Android Marcher banking Trojan
  • springback[.]at N/A
  • jembrana[.]net N/A
  • avalanche[.]today Malicious site [Sophos]
  • superavalanche[.]at N/A
  •[.]in Malicious site [BitDefender, Fortinet]
  • mobil-sicherheitsupdater[.]online Android Marcher banking Trojan
  • springalove[.]at Kronos banking Trojan
  •[.]id N/A
  • ftp.jembrana[.]net N/A
  • imap.tastydragon[.]com N/A
  • mail.tastydragon[.]com N/A
  • ex-ago[.]com N/A

Presence in this domain list does not necessarily imply malice in the event that no malware activity was observed, however the percentage of malicious domains pointing to the same IP is notable.

It should also be noted that ASERT observed systems compromised by Flokibot that were also compromised by the Dexter Point of Sale malware. Threat actors are going after some of the same targets, so a scenario involving multiple compromises is not surprising. This scenario is yet another reason why the detection and elimination of one type of malware does not mean that the system is malware free.

The outdated concept of “cleaning” an “infection” no longer applies in most cases, especially when a higher security environment is at risk. A complete rebuild, after the completion of a proper incident response process is warranted instead.

Passive DNS Insight

Passive DNS queries on shhtunnel[.]at, revealed two other domains of potential interest: sshtunnel02[.]xyz (due to similiarity of domain name), and p0o9i8u7y9[.]xyz. This second domain was interesting due to the use of the .xyz TLD that is commonly abused, and the structure of the domain name itself suggests it may have been generated by a Domain Generation Algorithm (DGA). The following malware activity was also observed:

Domain Malware Activity Sshtunnel02[.]xyz Andromeda / downloader p0o9i8u7y9[.]xyz Ransomware

Sshtunnel02[.]xyz resolved to 107.191.52[.]175 in early August of 2016 and was using the name server and during that time.

The other domain, p0o9i8u7y9[.]xyz, resolved to four IP addresses:

IP Dates

  • 8/6/2016 – 8/31/2016
  • 9/6/2016 – 9/18/2016
  • 9/21/2016 – 9/28/2016
  • 10/5/16 – 11/14/2016
  • 11/16/2016 – 1/4/2017

At the time of this writing, the last IP still resolved in response to the query of p0o9i8u7y9[.]xyz.

Due to the passive DNS associations presented here, network defenders are encouraged to be alert for any activity involving these domains or IP addresses especially during the resolution timeframe.

Flokibot C2 servers

These C2 are obtained from ASERT malware analysis insight. Note: these are any Flokibot C2’s, not just those associated with the threat activity profiled previously.

Domain Last observed

  • 1/4/17
  • 12/20/16
  • 12/19/16
  • 12/19/16
  • 12/17/16
  • 12/16/16
  • 12/13/16
  • 12/1/16
  • 11/28/16
  • 11/23/16
  • 11/23/16
  • 11/22/16
  • 11/13/16
  • 11/12/16

Flokibot Sample hashes (MD5)

  • 4ada3fabb0e2cd0c90b16ec79e8147d8
  • 20816af7c443180cccc6aa962151af67
  • 23de0ef14737b0398af94d9d9ec5d5b7
  • 2510953f05dcd2c758ad29160bbc3911
  • 2bbd8aa8be75537bd60e68b124eafbff
  • 33252b2c9e054617ecb7172837ce7775
  • 37768af89b093b96ab7671456de894bc
  • 3bf85b3bf7393ec22426919d341715e7
  • 3ddf657800e60a57b884b87e1e8a987c
  • 4725f4b5eec09bdb29433cbea6e360b3
  • 52645badc17613f95a7962b07e2f063e
  • 53203a1b05c0e039d8e690bad4808b97
  • 5649e7a200df2fb85ad1fb5a723bef22
  • 5d513187fc3357bc58d49c33f1c3e9c7
  • 5d817395b4e6a828850e0010edeccc93
  • 5e5289bb2b5bb89bddbc2ec0a38a6c9b
  • 5fa30772b1f7a1f6dd33b84180f17add
  • 624f84a9d8979789c630327a6b08c7c6
  • 6255a9d71494381b8a4319fd139e9242
  • 64a23908ade4bbf2a7c4aa31be3cff24
  • 6db1f428becc2870517ae50fd892fc67
  • 6dcc9ef9258dea343e1fdb1aaa5c7e56
  • 70f6abfb433327a7b3c394246cc37ea2
  • 7b7675705908d34432e2309880f5538e
  • 7b8f8a999367f28b3ac42fc4d2b9439d
  • 7d17de98ce24a0c3e156efcc0e1ca565
  • 92316769af9e7cc204a81789c0dab9c0
  • 93c07b57a51e3eee44134caa39057e8d
  • 992e9518d69039c3ebae4191e1f8b8b6
  • 99e9f5a4563f56e61f3806be39efce62
  • a11b982bde341475e28d3a2fa96f982a
  • a1bd290317b03ade7941dedd4a4e903b
  • a50e2d3419a9de9be87eb04f52f2245f
  • a53d38e93698ccf1843f15ebbd89a380
  • c149ef34c57e6f7e970063679de01342
  • c6faf2a51122cad086370674a3c9ad1a
  • cb8d57c149330e7bd1798d62e5da5404
  • cc38fd598cbef1a3816bb64f2990e9b6
  • cdb0762becd67b893d73cda594cd1c3e
  • d4c5384da41fd391d16eff60abc21405
  • d840ecdd9c8b32af83131dab66ec0f44
  • e54d28a24c976348c438f45281d68c54
  • e83d79fb671cf2335025022bebbb0bdd
  • ebbf3f2385157240e8a45a9dd00ddaef
  • f33808ea5100648108c7d0d6a0d5eb61
  • f5f698c6c0660d14ce19fd36a4e94b9c
  • f79035227cace85f01ee4ae63ad7c511
  • fdca6464b694739178b5a46d3d9b0f5c


Threat actors have engaged in, and are continuing to engage in compromise campaigns against Point of Sale infrastructure in Brazil and elsewhere by using the Flokibot malware family. Gaining insight into a C2 server provided ASERT with the means to describe a sample set of three compromises.

Of these, one appeared to be a threat actor involved in the creation of credit cards, and the other two compromised machines were likely Point of Sale systems or closely associated, based on analysis of their process activity and system usage patterns reported to the C2.

Individuals and businesses operating Point of Sale infrastructure must be cautious to engage in security best practices and should be aware of the numerous types of tactics that threat actors will use in order to compromise PoS machines.

Some examples of common tactics include scanning for remotely accessible administrative servers (such as Remote Desktop, Ammyy Admin, Team Viewer, VNC, etc.) the abuse of weak or default credentials, the delivery of malware-laden spearphish to selected targets posing as PoS or other software updates, the compromise of vendors offering remote support to PoS installations in the field, physical access to PoS machines in order to install malware and perform other tactics such as indirect lateral movement through partner organizations to reach a target.

Unusual network connections and data exfiltration from PoS machines to unexpected destinations should be a cause for alarm. Data exfiltration from machines that have network or other trusted connections to PoS infrastructure should also be cause for alarm that triggers an immediate investigation and corresponding incident response process.

Article by Curt Wilson, Arbor Networks senior threat intelligence analyst.

Related stories
Top stories
Story image
Delinea’s Joseph Carson recognised with OnCon Icon Award
Delinea chief security scientist and advisory CISO Joseph Carson has been recognised as a Top 50 Information Security Professional in the 2022 OnCon Icon Awards.
Story image
Artificial Intelligence
Eight top DevSecOps trends to support IT innovation in 2022
The use of DevSecOps practices is growing, as it is increasingly seen as the best way to produce high-quality and secure code. So what are the current trends?
Story image
Artificial Intelligence
Vectra AI named as AWS security competency partner
Threat detection and response company Vectra AI has announced that it has become an Amazon Web Services Security Competency Partner.
Story image
Businesses unprepared to defend against ransomware attacks
Ransomware attacks continue to impact organisations worldwide with high costs, but businesses are still largely unprepared.
Story image
Network Security
Netskope announces zero trust network access updates
Customers can now apply zero trust principles across a range of hybrid work security needs, including SaaS, IaaS, private applications, and endpoint devices.
Story image
Flashpoint unveils security offering for school boards
Flashpoint has released its K-12 risk management and security offering to provide school boards and education security practitioners with tools to recognise, prevent and manage cyber and physical threats.
Story image
Artificial Intelligence
Abnormal Security finds financial supply chain under threat
New research by Abnormal Security has found a rising trend in financial supply chain compromise as threat actors increasingly impersonate vendors.
Story image
Video: 10 Minute IT Jams - An update from CrowdStrike
Scott Jarkoff joins us today to discuss current trends in the cyber threat landscape, and the reporting work CrowdStrike is doing to prevent further cyber harm.
Story image
Trend Micro
5G network projects driven by improving security and privacy
Trend Micro's new study reveals the prospect of improved security and privacy capabilities are the main motivations behind private 5G wireless network projects.
Story image
Cloud Security
Palo Alto Networks bolsters cloud native security offerings
Latest Prisma Cloud platform updates help organisations continuously monitor and secure web applications with maximum flexibility.
Story image
Digital Transformation
What CISOs think about cyber security, visibility and cloud
Seeking to uncover the minds of CISOs and CIOs across Asia Pacific, my company recently asked Frost & Sullivan to take a snapshot of cloud adoption behaviour in the region.
Story image
Without trust, your security team is dead in the water
The rise of cyberattacks has increased the need for sound security that works across any type of business, but with any change, buy-in is essential. Airwallex explains why.
Find out how you and your business can prevent being caught out by everything from ransomware to cryptojacking.
Link image
Story image
Zero trust security adoption rises 27% in just two years
A survey of WAN managers has revealed that multi-factor authentication and single sign-on are the top zero trust features implemented.
Story image
Email threats spike 101%, remains a top attack vector
"Each year we see innovation in the threat landscape, but each year email remains a major threat to organisations."
Story image
Preparing for the digital decade with the right workforce strategies
For a decade that started under the pall of the pandemic, the 2020s is poised to end with a bang with the digital economy swelling to a high across the world.
Story image
Tech and data’s role in the changing face of compliance
Accenture's study found that 93% of respondents agree or strongly agree new technologies such as AI and cloud make compliance easier.
Story image
Identity and Access Management
Ping Identity launches corporate venture capital fund
Ping Identity has launched a corporate venture capital fund to foster innovative offerings for the identity security market.
Story image
Sternum joins NXP, collaborates on IoT security and observability
Sternum has announced it has joined the software partner community of NXP Semiconductors, a manufacturer of and large marketplace for embedded controllers.
Story image
Stock security features inadequate in face of rising risk
"Organisations must proactively find ways of identifying unseen vulnerabilities and should take a diligent, holistic approach to cybersecurity."
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
Vulnerable APIs costing businesses billions every year
Large companies are particularly vulnerable to the security risks associated with exposed or unprotected APIs as they accelerate digital transformation.  
Story image
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
Story image
10 Minute IT Jams
Video: 10 Minute IT Jams - An update from Rimini Street
Today we welcome back Daniel Benad, who is the GVP & regional GM for Oceania at Rimini Street.
Story image
Cyber Criminal
Identity and access: the fight is on
Blue team defenders are used to protecting our data, applications, and users with access controls and other security mechanisms, which is why attacks like this are especially challenging when they target identity and access control systems.
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
HP Inc
Firmware attacks significant threat in age of hybrid work
Changing workforce dynamics are creating new challenges for IT teams around firmware security, according to new research.
Story image
Artificial Intelligence
Juniper study reveals top AI trends in APAC region
Juniper's research shows an increase in enterprise artificial intelligence adoption over the last 12 months is yielding tangible benefits to organisations.
Story image
Hundreds arrested, millions seized in global INTERPOL investigation
A two-month-long investigation by INTERPOL this year involved 76 countries and clamped down on organised crime groups behind telecommunications and social engineering scams.
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Secure access service edge / SASE
Cloudflare adds new capabilities to zero trust SASE platform
New features for Cloudflare One include email security protection, data loss prevention tools, cloud access security broker, and private network discovery.
Story image
Amazon Web Services / AWS
Zscaler, AWS accelerate onramp to the cloud with zero trust
Zscaler has announced an extension to its relationship with Amazon Web Services, as well as innovations built on Zscaler's Zero Trust architecture.
Story image
FIDO Alliance releases guidelines for optimising UX with FIDO Security Keys
The new guidelines aim to accelerate multi-factor authentication deployment and adoption with FIDO security keys.
Story image
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
Tech job moves
Tech job moves - Bitdefender, Cohesity, Fortinet & MODIFI
We round up all job appointments from June 27-30, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Secureworks reveals new information on BRONZE STARLIGHT threat group
New research from Secureworks has uncovered new information on the Chinese threat group BRONZE STARLIGHT and how they are using targeted ransomware to initiate complicated attacks.
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Internet of Things
ManageEngine wins big in IDC MarketScape assessment
ManageEngine's Endpoint Central service has been recognised as a leader by IDC MarketScape in several categories including Internet of Things device deployments and UEM software for SMEs.
Story image
Varonis strengthens security capabilities for AWS and S3
Varonis has strengthened and expanded its cloud and security capabilities, with a critical aim of improving safety and boosting data visibility in Amazon Simple Storage Service (S3).
Story image
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.
Story image
Motorola Solutions
Motorola Solutions deploys communication system to 5th Japanese airport
Motorola Solutions with its partner, Nippon Airport Radio Services deployed the mission critical communication system to Kansai.
Story image
Greater API usage raises concerns for protection - report
Radware has released its 2022 State of API Security report, which shows a rise in APIs, with 92% of the organisations surveyed significantly or somewhat increasing their usage.
Story image
SentinelOne integrates with Torq to empower security teams
"With Torq, security teams can extend the power of SentinelOne to systems across the organisation to benefit from a proactive security posture.”
Story image
WatchGuard Technologies
Ransomware volume doubled 2021 total by end of Q1 2022
Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to a new report.