Schedule a demo

FluBot Malware Threat Intel Advisory

  • 8:54 pm
  • Categories: Advisory, Malware, Security

Summary

CloudSEK threat intelligence advisory on FluBot Android malware, that impersonates mobile banking applications to draw fake webview on targeted applications.
 
Advisory
 Malware Advisory
Type
 Credential Stealer, Android Malware
Name
 FluBot malware
Affected Industries
 Banking
  A newly discovered Android malware, dubbed FluBot, impersonates Android mobile banking applications to draw fake webview on targeted applications. The malware primarily focuses on stealing credit card details or online banking credentials, apart from personal data.  

Execution

FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device. It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app. In a span of 2 months, the FluBot malware strain infected over 60,000 devices. Around 97% of its victims are located in Spain. Moreover, it has access to mobile phone numbers of around 11 million Spanish citizens.  

Impact

Business Impact
  1. Financial loss to the organization/ individual if its operations are interrupted
  2. Loss of brand reputation
  3. Compromised PII leads to social engineering attacks
Technical Impact
The malware creates a backdoor which grants access to the user’s device. This enables the attacker to perform malicious operations and even launch other malware variants.  

Indicators of Compromise

   SHA1
  1. 1dd0edc5744d63a731db8c3b42efbd09d91fed78
  2. 325f24e8f5d56db43d6914d9234c08c888cdae50
  3. 479f470e83f9a5b66363fba5547fdfcf727949da
  4. 659cbdf9288137937bb71146b6f722ffcda1c5fe
  5. 6616de799b5105ee2eb83bbe25c7f4433420dff7
  6. a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
  7. affa12cc94578d63a8b178ae19f6601d5c8bb224
  8. c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
  9. e094dd02cc954b6104791925e0d1880782b046cf
  10. fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
    SHA256
  1. 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67
  2. 1eb54ee1328ad5563e0e85a8ecff13cd2e642f5c6fc42e0e1038aeac0ee8cf2f
  3. 2277d20669267bbe9ff8a656258af0a33563c18c45cef3624eab67cf123c29a7
  4. 3bb0dbdb9ec7822dc53af230de0bdb908a558993619ac788c90eeeb5af6a1e14
 
Active C&C server domains
  1. xjnwqdospderqtk[.]ru
  2. nfiuerwtftasnuk[.]com
 
APK distribution domains
http//2020[.]techbharat[.]org[.]in/status/  http//amirapache[.]ir/pkg/
http//anapa-dive[.]ru/pkge/ http//audioquran[.]kz/www/
http//Boutique[.]creolegarden[.]com/fedex/ http//buguilou[.]com/p/
http//canhair[.]net/parcel/ http//cloudstrading[.]com/fedex/ 
http//developer[.]team1global[.]com[.]au/pack/ http//ekremakin[.]org/pack/
http//elektroprommash[.]ru/pack/ http//freeavporn[.]com/fedex/
http//grahaksamachar[.]in/p/ http//idea-soft[.]it/p/
http//imw6[.]com/pack/  http//imwedsonpassos[.]com[.]br/parcel/
http//isabelsantos123[.]pt/p/  http//itaperunatem[.]com[.]br/pkge/
http//lamoraleja[.]com[.]co/status/  http//landing[.]kofacins[.]com/pack/
http//ln-lighting[.]com/pkg/ http//mimi-mi[.]studio/pkg/
http//muaadzawy[.]com/pkg/ http//ouyangpengcheng[.]xyz/p/
http//palinkapatika[.]com/pack/  http//pescadorsportsgroup[.]com/pkg/
http//portalcalamuchita[.]com[.]ar/pack/ http//printing-packingshow[.]ir/fedex/
http//raku-plus[.]com/pack/ http//rpgbundle[.]info/status/
http//sailorcrossfitmdp[.]com/fedex/ http//skipshopping[.]net/fedex/
http//srinterior[.]co[.]in/pkg/ http//studiobonazzi[.]eu/fedex/
http//telec[.]com[.]pk/pkg/ http//teologianaweb[.]com[.]br/pkg/
http//valks3d[.]com[.]br/fedex/ http//thejoblessemperor[.]in/pkg/
http//www[.]export-barazande[.]com/fedex/ http//www[.]internetpathshala[.]co/p/
http//www[.]larrecantofeliz[.]com[.]br/fedex/ http//www[.]old[.]danacadesign[.]com/fedex/
http//www[.]payamesavadkooh[.]ir/pack/ http//www[.]pudhuveedu[.]in/p/
http//www[.]raeloficial[.]com/pkg/ http//www[.]recycom[.]gr/pack/
http//www[.]zyzlk[.]com/p http//www[.]old[.]da/
http//www[.]zyzlk[.]com/pack/ http//wxz14[.]com/p/
http//xref[.]icu9090/pkg/ http//yangbin[.]100cuo[.]com/pack/
http//yulu1953[.]cn/fedex/ https//42sf[.]net/pack/
https//84blog[.]xyz/pkg/ https//aitao[.]site/pkg/
https//alercehistorico[.]cl/pkg/ https//amzstudy[.]com/pack/
https//apartners[.]vn/pack/ https//brighterdaysfi[.]com/fedex/
https//byalex-photography[.]co[.]uk/pack/ https//cbd-and-epilepsy[.]com/pack/
https//cbd-and-seizures[.]com/p/ https//contornosdesign[.]pt/pkg/
https//cssincronbucuresti[.]ro/pkg/ https//delhi[.]tie[.]org/p/
https//dgeneration[.]in/pack/ https//dumeiwu[.]com/p/
https//elitekidsbookzone[.]sch[.]ng/pack/ https//escuelaargentina[.]cl/p/
https//fraternitykerala[.]org/pkg/ https//garveylibertyhall[.]com/pack/
https//getblogour[.]com/fedex/ https//gladiadoresdevendas[.]com[.]br/pack/
https//hentaivillage[.]com/parcel/ https//illuminaticult[.]org/fedex/
https//imrt[.]ac[.]in/pack/ https//imrt[.]ac[.]in/pkg/
https//industrial-land[.]vn/pack/ https//jexchange[.]ga/pack/
https//kidimy[.]org/pkg/ https//lacasa-dh[.]nl/pack/
https//londonroofingpros[.]co[.]uk/fedex/ https//machupicchutraveling[.]com/pkg/
https//mucc[.]com[.]au/p/ https//mvpmsadhyapak[.]in/p/
https//nakoblog[.]info/fedex/ https//nen[.]vacad[.]net/pkg/
https//pic[.]tnell[.]com/pkg/ https//rishipes[.]co[.]nz/pack/
https//ryansa[.]com/pkg/ https//sdlformazione[.]it/p/
https//sprintintercom[.]com[.]au/fedex/ https//telugufusion[.]com/pkg/
https//tuyennvtb[.]com/p/ https//twospoonsfleet[.]co[.]uk/p/
https//visotka[.]in/pack/ https//weboyal[.]com/p/
https//www[.]admh[.]in/fedex/ https//www[.]agroescape[.]com/pkg/
https//www[.]divam[.]ir/pack/ https//www[.]nbkangxi[.]com/pack/
https//www[.]omvshop[.]com/pkge/ https//www[.]spave[.]com[.]pk/p/
https//www[.]wwworks[.]com[.]au/p/ https//www[.]ylem222[.]com/p/
https//xatziemmanouiltools[.]gr/pkg/ https//xn–thvitstore-c7a[.]com/pkg/
 

Mitigation

  1. Use updated antivirus software that detects and prevents malware infections
  2. Apply critical patches to the system and application
  3. Use strong passwords and enable 2FA over logins
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly  
  7. Open source platform recommendation to remove the malware:
https://www.xda-developers.com/psa-uninstall-flubot-sms-malware-with-malninstall/

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now