{
	"id": "c5d3fcc5-e1ba-41cd-9297-fe6a5d3021dd",
	"created_at": "2026-04-06T01:29:13.882497Z",
	"updated_at": "2026-04-10T03:23:51.05777Z",
	"deleted_at": null,
	"sha1_hash": "ef542df1de8cf55ac1a1f7ab07ecf5d10ff23c7c",
	"title": "Bokbot: The (re)birth of a banker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 652129,
	"plain_text": "Bokbot: The (re)birth of a banker\r\nBy Published August 9, 2018August 9, 2018\r\nPublished: 2018-08-09 · Archived: 2026-04-06 00:33:11 UTC\r\nThis blogpost is a follow-up to a presentation with the same name, given at SecurityFest in Sweden by Alfred\r\nKlason.\r\nSummary\r\nBokbot (aka: IcedID) came to Fox-IT’s attention around the end of May 2017 when we identified an unknown\r\nsample in our lab that appeared to be a banker. This sample was also provided by a customer at a later stage.\r\nHaving looked into the bot and the operation, the analysis quickly revealed that it’s connected to a well-known\r\nactor group that was behind an operation publically known as 76service and later Neverquest/Vawtrak, dating back\r\nto 2006.\r\nNeverquest operated for a number of years before an arrest lead to its downfall in January 2017. Just a few months\r\nafterwards we discovered a new bot, with a completely new code base but based on ideas and strategies from the\r\ndays of Neverquest. Their business ties remains intact as they still utilize services from the same groups as seen\r\nbefore but also expanded to use new services.\r\nThis suggests that at least parts of the group behind Neverquest is still operating using Bokbot. It’s however\r\nunclear how many of the people from the core group that have continued on with Bokbot.\r\nBokbot is still a relatively new bot, just recently reaching a production state where they have streamlined and\r\ntested their creation. Even though it’s a new bot, they still have strong connections within the cybercrime\r\nunderworld which enables them to maintain and grow their operation such as distributing their bot to a larger\r\nnumber of victims.\r\nBy looking back in history and the people who are behind this, it is highly likely that this is a threat that is not\r\ngoing away anytime soon. Fox-IT rather expects an expansion of both the botnet size and their target list.\r\n76service and Neverquest\r\n76service was, what one could call, a big-data mining service for fraud, powered by CRM (aka: Gozi). It was able\r\nto gather huge amounts of data from its victims using, for example, formgrabbing where authorization and log-in\r\ncredentials are retrieved from forms submitted to websites by the infected victim.\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 1 of 11\n\n76service login page (source: krebsonsecurity.com)\r\nThe service was initially spotted in 2006 and was put into production in 2007, where the authors started to rent out\r\naccess to their platform. When given access to the platform, the fraudulent customers of this service could free-text search in the stolen data for credentials that provide access to online services, such as internet banking, email\r\naccounts and other online platforms.\r\n76service operated uninterrupted until November 2010, when an Ukrainian national named Nikita Kuzmin got\r\narrested in connection with the operation. This marked the end of the 76service service.\r\nNice Catch! – The real name of Neverquest\r\nA few months before the arrest of Nikita he shared the source code of CRM within a private group of people\r\nwhich would enable them to continue the development of the malware. This, over time, lead to the appearance of\r\nmultiple Gozi strains, but there was one which stood out more than the others, namely: Catch.\r\nCatch was the name given internally by the malware authors, but to the security community and the public it was\r\nknown as Vawtrak or Neverquest.\r\nDuring this investigation into Catch it became clear that 76service and Catch shared several characteristics. They\r\nboth, for example, separated their botnets into projects within the panel they used for administering their\r\ninfrastructure and botnets. Instead of having one huge botnet, they assigned every bot build with a project ID that\r\nwould be used by the bot to let the Command \u0026 Control (C2) server know which specific project the bot belonged\r\nto.\r\n76service and Catch also shared the same business model, where they shifted back and forth between a private\r\nand rented model.\r\nThe private business model meant that they made use of their own botnet, for their own gain, and the rented\r\nbusiness model meant that they rented out access to their botnet to customers. This provided them with an\r\nadditional income stream, instead of only performing the fraud themselves.\r\nThe shift between business models could usually be correlated with either: backend servers being seized or people\r\nwith business ties to the group being arrested. These types of events might have spooked the group as they limited\r\ntheir infrastructure, closing down access for customers.\r\nFor the sake of simplicity, Catch will from here on be referred to as Neverquest in this post.\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 2 of 11\n\n“Quest means business” – Affiliations\r\nIf one would identify a Neverquest infection it might not be the only malware that is lurking on the infected\r\nsystem. Neverquest has been known to cooperate with other crimeware groups, either to distribute additional\r\nmalware or use existing botnets to distribute Neverquest.\r\nDuring the investigation and tracking of Neverquest Fox-IT identified the following ties:\r\nCrimeware/malware\r\ngroup\r\nUsage/functionality\r\nDyre Download and execute Dyre on Neverquest infections\r\nTinyLoader \u0026\r\nAbaddonPOS\r\nDownload and execute TinyLoader on Neverquest infections. TinyLoader was\r\nlater seen downloading AbaddonPOS (as mentioned by Proofpoint)\r\nChanitor/Hancitor Neverquest leverages Chanitor to infect new victims.\r\nBy leveraging these business connections, especially the connection with Dyre, Neverquest is able to maximize\r\nthe monetization of the bots. This since Neverquest could see if a bot was of interest to the group and if not, it\r\ncould be handed off to Dyre which could cast a wider net, targeting for example a bigger or different geographical\r\nregion and utilize a bot in a different way.\r\nMore on these affiliations in a later section.\r\nThe never ending quest comes to an end\r\nNeverquest remained at large from around 2010, causing huge amounts of financial losses, ranging from ticket\r\nfraud to wire fraud to credit card fraud. Nevertheless, in January 2017 the quest came to an end, as an individual\r\nnamed Stanislav Lisov was arrested in Spain. This individual was proven to be a key player in the operation: soon\r\nafter the arrest the backend servers of Neverquest went offline, never to come back online, marking the end of a 6\r\nyear long fraud operation.\r\nA more detailed background on 76service and Neverquest can be found in a blogpost by PhishLabs.\r\nA wild Bokbot appears!\r\nEarly samples of Bokbot were identified in our lab in May 2017 and also provided to us by a customer. At this\r\ntime the malware was being distributed to US infections by the Geodo (aka: Emotet) spam botnet. The name\r\nBokbot is based on a researcher who worked on the very early versions of the malware (you know who you are\r\n😉 ).\r\nInitial thoughts were that this was a new banking module for Geodo, as this group had not been involved in\r\nbanking/fraud since May 2015. This scenario was quickly dismissed after having discovered evidence that linked\r\nBokbot to Neverquest, which will be further outlined hereafter.\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 3 of 11\n\nBokbot internals\r\nFirst, let’s do some housekeeping and look into some of the technical aspects of Bokbot.\r\nCommunication\r\nAll communication between a victim and the C2 server is sent over HTTPS using POST- and GET-requests. The\r\ninitial request sent to the C2 is a POST-request containing some basic information about the machine it’s running\r\non, as seen in the example below. Any additional requests like requesting configs or modules are sent using GET-requests, except for the uploading of any stolen data such as files, HTML code, screenshots or credentials which\r\nthe victim submits using POST-requests.\r\nEven though the above request is from a very early version (14) of the bot, the principle still applies to the current\r\nversion (101), first seen 2018-07-17.\r\nURL\r\nparam.\r\nComment\r\nb\r\nBot identifier, contains the information needed to identify the individual bot and where it\r\nbelongs. More information on this in later a section.\r\nd Type of uploaded information. For example screenshot, grabbed form, HTML or a file\r\ne Bot build version\r\ni System uptime\r\nPOST-data param. Comment\r\nk Computer name (Unicode, URL-encoded)\r\nl Member of domain… (Unicode, URL-encoded)\r\nj Bot requires signature verification for C2 domains and self-updates\r\nn Bot running with privilege level…\r\nm Windows build information (version, arch., build, etc.)\r\nThe parameters that are not included in the table above are used to report stolen data to the C2.\r\nThe C2 response of this particular bot version is a simple set of integers which tells the bot which command(s)\r\nthat should be executed. This is the only C2 response that is unencrypted, all other responses are encrypted using\r\nRC4. Some responses are, like the configs, also compressed using LZMAT.\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 4 of 11\n\nAfter a response is decrypted, the bot will check if the first 4 bytes equal “zeus”.\r\nIf the first 4 bytes are equal to “zeus”, it will decompress the rest of the data.\r\nThe reason for choosing “zeus” as the signature remains unknown, it could be an intentional false flag, in an\r\nattempt to trick analysts into thinking that this might be a new ZeuS strain. Similar elusive techniques have been\r\nused before to trick analysts. A simpler explanation could be that the developer simply had an ironic sense of\r\nhumor, and chose the first malware name that came to mind as the 4 byte signature.\r\nConfigs\r\nBokbot supports three different types of configs, which all are in a binary format rather than some structured\r\nformat like XML, which is, for example, used by TheTrick.\r\nConfig Comment\r\nBot The latest C2 domains\r\nInjects Contains targets which are subject to web injects and redirection attacks\r\nReporting Contains targets related to HTML grabbing and screenshots\r\nThe first config, which includes the bot C2 domains, is signed. This to prevent that a takeover of any of the C2\r\ndomains would result in a sinkholing of the bots. The updates of the bot itself are also signed.\r\nThe other two configs are used to control how the bot will interact with the targeted entities, such as redirecting\r\nand modifying web traffic related to for example internet banking and/or email providers, for the purpose of\r\nharvesting credentials and account information.\r\nThe reporting config is used for a more generic purpose, where it’s not only used for screenshots but also for\r\nHTML grabbing, which would grab a complete HTML page if a victim browses to an “interesting” website, or if\r\nthe page contains a specific keyword. This enables the actors to conduct some reconnaissance for future attacks,\r\nlike being able to write web injects for a previously unknown target.\r\nGeographical foothold\r\nEver since the appearance Bokbot has been heavily focused on targeting financial institutions in the US even\r\nthough they’re still gathering any data that they deem interesting such as credentials for online services.\r\nBased on Fox-IT’s observation of the malware spread and the accompanied configs we find that North America\r\nseems to be Bokbot’s primary hunting ground while high infection counts have been seen in the following\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 5 of 11\n\ncountries:\r\nUnited States\r\nCanada\r\nIndia\r\nGermany\r\nNetherlands\r\nFrance\r\nUnited Kingdom\r\nItaly\r\nJapan\r\n“I can name fingers and point names!” – Connecting the two groups\r\nThe two bots, on a binary level, do not show much similarity other than the fact that they’re both communicating\r\nover HTTPS and use RC4 in combination with LZMAT compression. But this wouldn’t be much of an attribution\r\nas it’s also a combination used in for example ZeuS Gameover, Citadel and Corebot v1.\r\nThe below tables provides a short summary of the similarities between the groups.\r\nConnection Comment\r\nBot and project ID\r\nformat\r\nThe usage of projects and the bot ID generation are unique to these groups along with\r\nthe format that this information is communicated to the C2.\r\nInject config\r\nThe injects and redirection entries are very similar and the format haven’t been seen in\r\nany other malware family.\r\nReporting config The targeted URLs and “interesting” keywords are almost identical between the two.\r\nAffiliations The two group share business affiliations with other crimeware groups.\r\nBot ID, URL pattern and project IDs\r\nWhen both Neverquest and Bokbot communicate with their C2 servers, they have to identify themselves by\r\nsending their unique bot ID along with a project ID.\r\nAn example of the string that the server uses in order to identify a specific bot from its C2 communication is\r\nshown below:\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 6 of 11\n\nThe placement of this string is of course different between the families, where Neverquest (in the latest version)\r\nplaced it, encoded, in the Cookie header field. Older version of Neverquest sent this information in the URL.\r\nBokbot on the other hand sends it in the URL as shown in a previous section.\r\nOne important difference is that Neverquest used a simple number for their project ID, 7, in the example above.\r\nBokbot on the other hand is using a different, unknown format for its project ID. A theory is that this could be the\r\nCRC checksum of the project name to prevent any leakage of the number of projects or their names, but this is\r\npure speculation.\r\nAnother difference is that Bokbot has implemented an 8 bit checksum that is calculated using the project ID and\r\nthe bot ID. This checksum is then validated on the server side and if it doesn’t match, no commands will be\r\nreturned.\r\nTo this date there has been a total of 20 projects over 25 build versions observed, numbers that keeps on growing.\r\nInject config – Dynamic redirect structure\r\nThe inject config not only contain web injects but also redirects. Bokbot supports both static redirects which\r\nredirects a static URL but also dynamic redirects which redirects a request based on a target matched using a\r\nregular expression.\r\nThe above example is a redirect attack from a Neverquest config. They use a regular expression to match on the\r\nrequested URL. If it should match they will extract the name of the requested file along with its extension. The\r\ntwo strings are then used to construct a redirect URL controlled by the actors. Thereby, the $1 will be replaced\r\nwith the file name and $2 will be replaced with the file extension.\r\nHow does this compare with Bokbot?\r\nNotice how the redirect URL contains $1 and $2, just as with Neverquest. This could of course be a coincidence\r\nbut it should be mentioned that this is something that has only been observed in Neverquest and Bokbot.\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 7 of 11\n\nReporting config\r\nThis config was one of the very first things that hinted about a connection between the two groups. By comparing\r\nthe configs it becomes quite clear that there is a big overlap in interesting keywords and URLs:\r\nNeverquest is on the left and Bokbot on the right. Note that this is a simple string comparison between the configs\r\nwhich also includes URLs that are to be excluded from reporting.\r\n“Guilt by association” – Affiliations\r\nNone of these groups are short on connections in the cybercrime underworld. It’s already mentioned that\r\nNeverquest had ties with Dyre, a group which by itself caused substantial financial losses. But it’s also important\r\nto take into account that Dyre didn’t completely go away after the group got dismantled but was rather replaced\r\nwith TheTrick which gives a further hint of a connection.\r\nNeverquest\r\naffil.\r\nBokbot\r\naffil.\r\nComment\r\nDyre TheTrick\r\nNeverquest downloads \u0026 executes Dyre\r\nBokbot downloads \u0026 executes TheTrick\r\nTinyLoader TinyLoader\r\nNeverquest downloads \u0026 executes TinyLoader which downloads\r\nAbaddosPOS\r\nBokbot downloads \u0026 executes TinyLoader, additional payload remains\r\nunknown at this time\r\nChanitor Chanitor Neverquest utilizes Chanitor for distribution of Neverquest\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 8 of 11\n\nBokbot utilizes Chanitor for distribution of Bokbot, downloads SendSafe\r\nspam malware to older infections.\r\nGeodo Bokbot utilizes Geodo for distributing Bokbot\r\nGozi-ISFB Bokbot utilizes Gozi-ISFB for distributing Bokbot\r\nThere are a few interesting observations with the above affiliations. The first is for the Chanitor affiliation.\r\nWhen Bokbot was being distributed by Chanitor, an existing Bokbot infection that was running an older version\r\nthan the one being distributed by Chanitor, would receive a download \u0026 execute command which pointed to the\r\nSendSafe spambot, used by the Chanitor group to send spam. Suggesting that they may have exchanged\r\n“infections for infections”.\r\nThe Bokbot affiliation with Geodo is something that cannot be linked to Neverquest, mostly due to the fact that\r\nGeodo has not been running its spam operation long enough to overlap with Neverquest.\r\nThe below graph show all the observed affiliations to date.\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 9 of 11\n\nEvents over time\r\nAll of the above information have been collected over time during the development and tracking of Bokbot. The\r\nevents and observations can be observed on the below timeline.\r\nThe first occurrence of TheTrick being downloaded was in July 2017 but Bokbot has since been downloading\r\nTheTrick at different occasions.\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 10 of 11\n\nAt the end of December 2017 there was little Bokbot activity, likely due to the fact that it was holidays. It’s not\r\nuncommon for cybercriminals to decrease their activity during the turn of the year, supposedly everyone needs\r\nholidays, even cybercriminals. They did however push an inject config to some bots which targeted *.com with\r\nthe goal of injecting Javascript to mine Monero cryptocurrency. As soon as an infected user visits a website with a\r\n.com top-level domain (TLD), the browser would start mining Monero for the Bokbot actors.  This was likely an\r\nattempt to passively monetize the bots while the actors was on holiday.\r\nBokbot remains active and shows no signs of slowing down. Fox-IT will continue to monitor these actors closely.\r\nSource: https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nhttps://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/"
	],
	"report_names": [
		"bokbot-the-rebirth-of-a-banker"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438953,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef542df1de8cf55ac1a1f7ab07ecf5d10ff23c7c.pdf",
		"text": "https://archive.orkl.eu/ef542df1de8cf55ac1a1f7ab07ecf5d10ff23c7c.txt",
		"img": "https://archive.orkl.eu/ef542df1de8cf55ac1a1f7ab07ecf5d10ff23c7c.jpg"
	}
}