Trojan-Banker.Win32.Floki

In terms of capabilities, this malware family replicates the Zeus family, upon which its source code is based. The main difference is in the method used for packaging the configuration file. While basic versions of Zeus used RC4+XOR for package encryption, followed by a configuration file in the zeus_storage format, the structure used by Floki is more complicated. The response from the server is encrypted using RC4+XOR, followed by data split into sections in a format that is unique to Floki. Combining parts from each section gives complete information. The first byte indicates the data type:
• Configuration file, if the first byte is 00
• Update, if the first byte is 01
• Command, if the first byte is 02
The configuration file is re-encrypted using RC4+XOR and, once decrypted, has the standard zeus_storage format. Updates consist of unencrypted MZ/PE files. Commands also arrive unencrypted, in the standard zeus_storage format. The decrypted configuration file and commands are compatible with the Zeus family.

Geographical distribution of attacks by the Trojan-Banker.Win32.Floki family

Geographical distribution of attacks during the period from 08 December 2015 to 08 December 2016

Countries with attacked users (% of total attacks)

* Percentage among all unique Kaspersky users worldwide attacked by this malware