VISA warned all its merchants that multiple infosec firms reported on the emerging threat of a new malware variant identified as “Flokibot.”
While Flokibot attacks have focused on the Latin America / Caribbean region to date, this malware may represent a broader threat to the payments ecosystem. Visa is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise and suggested mitigation activities to protect the payments ecosystem.
VISA's summary: "Recently, two Flokibot campaigns compromised integrated point-of-sale (PoS) devices and other systems of multiple Brazilian merchants. Although we have no confirmation of other compromises, merchants in other countries—including Australia, Paraguay, Croatia, the Dominican Republic, Argentina, and the U.S.—were also reportedly targeted.
While Flokibot attacks have focused on the LAC region to date, this malware may represent a broader threat to the payments ecosystem. Visa is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise (IOC) and suggested mitigation activities to protect the payments ecosystem." Here is VISA's full PDF with details.
“Spear Phishing” as Delivery mechanism
The researches identifies, in the initial phase, cyber criminals are using spear phishing mechanism for Floki payload delivery. For this, they are weaponize Microsoft word documents with malicious code in its macro and send it to the targeted audience over mails as an attachment. Once the target (victim) receives the mail and open the attachment and in case the macro is enabled on victim’s machine, the malicious payload is executed which retrieves the Floki Bot malware on intruders server.
Here's how it works:
