The FluBot malware has started expanding its operations. Its recent targets are the finance applications that belong to German and Polish banks. This incident was reported a day after a report was submitted by an Australian bank that was also a target.
New overlays are being propagated on entities that have already targeted several German and Polish banks.
Fake UIs impersonate the application’s login form. These are displayed to them when the users use the app. All the credentials input on the overlay screen are dispatched to the C2 server.
Multiple Polish finance apps were targeted on 12th August. The targets included BNP Paribas GOMobile, mBank PL, IKO, Getin Mobile, plusbank24, Moje ING mobile, Bank Millennium, and Santander mobile.
Multiple German apps became targets between 10th to 13th August. SpardaApp, Sparkasse Ihre mobile Filiale, Consorsbank,VR Banking Classic, and N26-The Mobile Bank were among the targets.
FluBot propagates using messages containing links to web pages. These pages are hosted on infected web servers. These messages impersonate parcel tracking services or voicemail notifications. In June, FluBot was detected imitating logistic and postal service apps in an attempt to lure the targets.
During the analysis of the sites, analysts have discovered that the threat actors use C2 servers to manage these lure sites.
FluBot is currently quite active and is targeting Europe. It may have also been targeting several other locations. For security, individuals with smartphones must restrict access to lure sites linked with FluBot. Also, users must avoid downloading applications from third-party sources or message links.