FluBot Malware Threat Intel Advisory
Published 24 March 2021
- FluBot primarily focuses on stealing credit card details or online banking credentials, apart from personal data
- It is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes.
Share this Threat Intel:
Advisory |
Malware Advisory |
Type |
Credential Stealer, Android Malware |
Name |
FluBot malware |
Affected Industries |
Banking |
A newly discovered Android malware, dubbed FluBot, impersonates Android mobile banking applications to draw fake webview on targeted applications. The malware primarily focuses on stealing credit card details or online banking credentials, apart from personal data.
Execution
FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device.
It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app.
In a span of 2 months, the FluBot malware strain infected over 60,000 devices. Around 97% of its victims are located in Spain. Moreover, it has access to mobile phone numbers of around 11 million Spanish citizens.
Impact
Business Impact
- Financial loss to the organization/ individual if its operations are interrupted
- Loss of brand reputation
- Compromised PII leads to social engineering attacks
Technical Impact
The malware creates a backdoor which grants access to the user’s device. This enables the attacker to perform malicious operations and even launch other malware variants.
Indicators of Compromise
SHA1
- 1dd0edc5744d63a731db8c3b42efbd09d91fed78
- 325f24e8f5d56db43d6914d9234c08c888cdae50
- 479f470e83f9a5b66363fba5547fdfcf727949da
- 659cbdf9288137937bb71146b6f722ffcda1c5fe
- 6616de799b5105ee2eb83bbe25c7f4433420dff7
- a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
- affa12cc94578d63a8b178ae19f6601d5c8bb224
- c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
- e094dd02cc954b6104791925e0d1880782b046cf
- fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
SHA256
- 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67
- 1eb54ee1328ad5563e0e85a8ecff13cd2e642f5c6fc42e0e1038aeac0ee8cf2f
- 2277d20669267bbe9ff8a656258af0a33563c18c45cef3624eab67cf123c29a7
- 3bb0dbdb9ec7822dc53af230de0bdb908a558993619ac788c90eeeb5af6a1e14
Active C&C server domains
- xjnwqdospderqtk[.]ru
- nfiuerwtftasnuk[.]com
APK distribution domains
| http[:]//2020[.]techbharat[.]org[.]in/status/ | http[:]//amirapache[.]ir/pkg/ |
| http[:]//anapa-dive[.]ru/pkge/ | http[:]//audioquran[.]kz/www/ |
| http[:]//Boutique[.]creolegarden[.]com/fedex/ | http[:]//buguilou[.]com/p/ |
| http[:]//canhair[.]net/parcel/ | http[:]//cloudstrading[.]com/fedex/ |
| http[:]//developer[.]team1global[.]com[.]au/pack/ | http[:]//ekremakin[.]org/pack/ |
| http[:]//elektroprommash[.]ru/pack/ | http[:]//freeavporn[.]com/fedex/ |
| http[:]//grahaksamachar[.]in/p/ | http[:]//idea-soft[.]it/p/ |
| http[:]//imw6[.]com/pack/ | http[:]//imwedsonpassos[.]com[.]br/parcel/ |
| http[:]//isabelsantos123[.]pt/p/ | http[:]//itaperunatem[.]com[.]br/pkge/ |
| http[:]//lamoraleja[.]com[.]co/status/ | http[:]//landing[.]kofacins[.]com/pack/ |
| http[:]//ln-lighting[.]com/pkg/ | http[:]//mimi-mi[.]studio/pkg/ |
| http[:]//muaadzawy[.]com/pkg/ | http[:]//ouyangpengcheng[.]xyz/p/ |
| http[:]//palinkapatika[.]com/pack/ | http[:]//pescadorsportsgroup[.]com/pkg/ |
| http[:]//portalcalamuchita[.]com[.]ar/pack/ | http[:]//printing-packingshow[.]ir/fedex/ |
| http[:]//raku-plus[.]com/pack/ | http[:]//rpgbundle[.]info/status/ |
| http[:]//sailorcrossfitmdp[.]com/fedex/ | http[:]//skipshopping[.]net/fedex/ |
| http[:]//srinterior[.]co[.]in/pkg/ | http[:]//studiobonazzi[.]eu/fedex/ |
| http[:]//telec[.]com[.]pk/pkg/ | http[:]//teologianaweb[.]com[.]br/pkg/ |
| http[:]//valks3d[.]com[.]br/fedex/ | http[:]//thejoblessemperor[.]in/pkg/ |
| http[:]//www[.]export-barazande[.]com/fedex/ | http[:]//www[.]internetpathshala[.]co/p/ |
| http[:]//www[.]larrecantofeliz[.]com[.]br/fedex/ | http[:]//www[.]old[.]danacadesign[.]com/fedex/ |
| http[:]//www[.]payamesavadkooh[.]ir/pack/ | http[:]//www[.]pudhuveedu[.]in/p/ |
| http[:]//www[.]raeloficial[.]com/pkg/ | http[:]//www[.]recycom[.]gr/pack/ |
| http[:]//www[.]zyzlk[.]com/p | http[:]//www[.]old[.]da/ |
| http[:]//www[.]zyzlk[.]com/pack/ | http[:]//wxz14[.]com/p/ |
| http[:]//xref[.]icu[:]9090/pkg/ | http[:]//yangbin[.]100cuo[.]com/pack/ |
| http[:]//yulu1953[.]cn/fedex/ | https[:]//42sf[.]net/pack/ |
| https[:]//84blog[.]xyz/pkg/ | https[:]//aitao[.]site/pkg/ |
| https[:]//alercehistorico[.]cl/pkg/ | https[:]//amzstudy[.]com/pack/ |
| https[:]//apartners[.]vn/pack/ | https[:]//brighterdaysfi[.]com/fedex/ |
| https[:]//byalex-photography[.]co[.]uk/pack/ | https[:]//cbd-and-epilepsy[.]com/pack/ |
| https[:]//cbd-and-seizures[.]com/p/ | https[:]//contornosdesign[.]pt/pkg/ |
| https[:]//cssincronbucuresti[.]ro/pkg/ | https[:]//delhi[.]tie[.]org/p/ |
| https[:]//dgeneration[.]in/pack/ | https[:]//dumeiwu[.]com/p/ |
| https[:]//elitekidsbookzone[.]sch[.]ng/pack/ | https[:]//escuelaargentina[.]cl/p/ |
| https[:]//fraternitykerala[.]org/pkg/ | https[:]//garveylibertyhall[.]com/pack/ |
| https[:]//getblogour[.]com/fedex/ | https[:]//gladiadoresdevendas[.]com[.]br/pack/ |
| https[:]//hentaivillage[.]com/parcel/ | https[:]//illuminaticult[.]org/fedex/ |
| https[:]//imrt[.]ac[.]in/pack/ | https[:]//imrt[.]ac[.]in/pkg/ |
| https[:]//industrial-land[.]vn/pack/ | https[:]//jexchange[.]ga/pack/ |
| https[:]//kidimy[.]org/pkg/ | https[:]//lacasa-dh[.]nl/pack/ |
| https[:]//londonroofingpros[.]co[.]uk/fedex/ | https[:]//machupicchutraveling[.]com/pkg/ |
| https[:]//mucc[.]com[.]au/p/ | https[:]//mvpmsadhyapak[.]in/p/ |
| https[:]//nakoblog[.]info/fedex/ | https[:]//nen[.]vacad[.]net/pkg/ |
| https[:]//pic[.]tnell[.]com/pkg/ | https[:]//rishipes[.]co[.]nz/pack/ |
| https[:]//ryansa[.]com/pkg/ | https[:]//sdlformazione[.]it/p/ |
| https[:]//sprintintercom[.]com[.]au/fedex/ | https[:]//telugufusion[.]com/pkg/ |
| https[:]//tuyennvtb[.]com/p/ | https[:]//twospoonsfleet[.]co[.]uk/p/ |
| https[:]//visotka[.]in/pack/ | https[:]//weboyal[.]com/p/ |
| https[:]//www[.]admh[.]in/fedex/ | https[:]//www[.]agroescape[.]com/pkg/ |
| https[:]//www[.]divam[.]ir/pack/ | https[:]//www[.]nbkangxi[.]com/pack/ |
| https[:]//www[.]omvshop[.]com/pkge/ | https[:]//www[.]spave[.]com[.]pk/p/ |
| https[:]//www[.]wwworks[.]com[.]au/p/ | https[:]//www[.]ylem222[.]com/p/ |
| https[:]//xatziemmanouiltools[.]gr/pkg/ | https[:]//xn–thvitstore-c7a[.]com/pkg/ |
Mitigation
- Use updated antivirus software that detects and prevents malware infections
- Apply critical patches to the system and application
- Use strong passwords and enable 2FA over logins
- Check the privileges and permission allotted to the user
- Make it easy for users to report suspicious behavior
- Back-up data regularly
- Open source platform recommendation to remove the malware:
https://www.xda-developers.com/psa-uninstall-flubot-sms-malware-with-malninstall/
Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.