May 28, 2022
With New Overlay Attacks, FluBot Is On The Move Once Again

The FluBot malware has started expanding its operations. Its recent targets are the finance applications that belong to German and Polish banks. This incident was reported a day after a report was submitted by an Australian bank that was also a target.

Incident Summary

New overlays are being propagated on entities that have already targeted several German and Polish banks.

Fake UIs impersonate the application’s login form. These are displayed to them when the users use the app. All the credentials input on the overlay screen are dispatched to the C2 server.

Multiple Polish finance apps were targeted on 12th August. The targets included BNP Paribas GOMobile, mBank PL, IKO, Getin Mobile, plusbank24, Moje ING mobile, Bank Millennium, and Santander mobile.

Multiple German apps became targets between 10th to 13th August. SpardaApp, Sparkasse Ihre mobile Filiale, Consorsbank,VR Banking Classic, and N26-The Mobile Bank were among the targets.

FluBot propagates using messages containing links to web pages. These pages are hosted on infected web servers. These messages impersonate parcel tracking services or voicemail notifications. In June, FluBot was detected imitating logistic and postal service apps in an attempt to lure the targets.

Malware Analysis

During the analysis of the sites, analysts have discovered that the threat actors use C2 servers to manage these lure sites.

  • The website’s HTML content, along with the FluBot application in.apk file, is served by the C2 infrastructure. It can redirect to a legitimate site or send an empty response, making detection difficult.
  • FluBot prompts the user to grant accessibility-related permissions after installation. It takes control of the device and grants several permissions to avoid being removed once it has been granted permission.
  • In order to generate a list of C2 domains, FluBot uses the Domain Generation Method algorithm. It enables active C2 domains to change over time.
  • Each C2 domain led to ten separate infected servers, according to the findings. FluBot’s C2 infrastructure is further fortified using this method.

 

Final Notes

FluBot is currently quite active and is targeting Europe. It may have also been targeting several other locations. For security, individuals with smartphones must restrict access to lure sites linked with FluBot. Also, users must avoid downloading applications from third-party sources or message links.

Leave a Reply

Your email address will not be published.