Saturday, July 20, 2024
HomeComputerWith New Overlay Attacks, FluBot Is On The Move Once Again

With New Overlay Attacks, FluBot Is On The Move Once Again

The FluBot malware has started expanding its operations. Its recent targets are the finance applications that belong to German and Polish banks. This incident was reported a day after a report was submitted by an Australian bank that was also a target.

Incident Summary

New overlays are being propagated on entities that have already targeted several German and Polish banks.

Fake UIs impersonate the application’s login form. These are displayed to them when the users use the app. All the credentials input on the overlay screen are dispatched to the C2 server.

Multiple Polish finance apps were targeted on 12th August. The targets included BNP Paribas GOMobile, mBank PL, IKO, Getin Mobile, plusbank24, Moje ING mobile, Bank Millennium, and Santander mobile.

Multiple German apps became targets between 10th to 13th August. SpardaApp, Sparkasse Ihre mobile Filiale, Consorsbank,VR Banking Classic, and N26-The Mobile Bank were among the targets.

FluBot propagates using messages containing links to web pages. These pages are hosted on infected web servers. These messages impersonate parcel tracking services or voicemail notifications. In June, FluBot was detected imitating logistic and postal service apps in an attempt to lure the targets.

Malware Analysis

During the analysis of the sites, analysts have discovered that the threat actors use C2 servers to manage these lure sites.

  • The website’s HTML content, along with the FluBot application in.apk file, is served by the C2 infrastructure. It can redirect to a legitimate site or send an empty response, making detection difficult.
  • FluBot prompts the user to grant accessibility-related permissions after installation. It takes control of the device and grants several permissions to avoid being removed once it has been granted permission.
  • In order to generate a list of C2 domains, FluBot uses the Domain Generation Method algorithm. It enables active C2 domains to change over time.
  • Each C2 domain led to ten separate infected servers, according to the findings. FluBot’s C2 infrastructure is further fortified using this method.


Final Notes

FluBot is currently quite active and is targeting Europe. It may have also been targeting several other locations. For security, individuals with smartphones must restrict access to lure sites linked with FluBot. Also, users must avoid downloading applications from third-party sources or message links.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us