🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Advisory |
Malware Advisory |
Type |
Credential Stealer, Android Malware |
Name |
FluBot malware |
Affected Industries |
Banking |
Execution
FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device. It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app. In a span of 2 months, the FluBot malware strain infected over 60,000 devices. Around 97% of its victims are located in Spain. Moreover, it has access to mobile phone numbers of around 11 million Spanish citizens.Impact
Business Impact
- Financial loss to the organization/ individual if its operations are interrupted
- Loss of brand reputation
- Compromised PII leads to social engineering attacks
Technical Impact
The malware creates a backdoor which grants access to the user’s device. This enables the attacker to perform malicious operations and even launch other malware variants.Indicators of Compromise
SHA1
- 1dd0edc5744d63a731db8c3b42efbd09d91fed78
- 325f24e8f5d56db43d6914d9234c08c888cdae50
- 479f470e83f9a5b66363fba5547fdfcf727949da
- 659cbdf9288137937bb71146b6f722ffcda1c5fe
- 6616de799b5105ee2eb83bbe25c7f4433420dff7
- a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
- affa12cc94578d63a8b178ae19f6601d5c8bb224
- c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
- e094dd02cc954b6104791925e0d1880782b046cf
- fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
SHA256
- 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67
- 1eb54ee1328ad5563e0e85a8ecff13cd2e642f5c6fc42e0e1038aeac0ee8cf2f
- 2277d20669267bbe9ff8a656258af0a33563c18c45cef3624eab67cf123c29a7
- 3bb0dbdb9ec7822dc53af230de0bdb908a558993619ac788c90eeeb5af6a1e14
Active C&C server domains
- xjnwqdospderqtk[.]ru
- nfiuerwtftasnuk[.]com
APK distribution domains
| http[:]//2020[.]techbharat[.]org[.]in/status/ | http[:]//amirapache[.]ir/pkg/ |
| http[:]//anapa-dive[.]ru/pkge/ | http[:]//audioquran[.]kz/www/ |
| http[:]//Boutique[.]creolegarden[.]com/fedex/ | http[:]//buguilou[.]com/p/ |
| http[:]//canhair[.]net/parcel/ | http[:]//cloudstrading[.]com/fedex/ |
| http[:]//developer[.]team1global[.]com[.]au/pack/ | http[:]//ekremakin[.]org/pack/ |
| http[:]//elektroprommash[.]ru/pack/ | http[:]//freeavporn[.]com/fedex/ |
| http[:]//grahaksamachar[.]in/p/ | http[:]//idea-soft[.]it/p/ |
| http[:]//imw6[.]com/pack/ | http[:]//imwedsonpassos[.]com[.]br/parcel/ |
| http[:]//isabelsantos123[.]pt/p/ | http[:]//itaperunatem[.]com[.]br/pkge/ |
| http[:]//lamoraleja[.]com[.]co/status/ | http[:]//landing[.]kofacins[.]com/pack/ |
| http[:]//ln-lighting[.]com/pkg/ | http[:]//mimi-mi[.]studio/pkg/ |
| http[:]//muaadzawy[.]com/pkg/ | http[:]//ouyangpengcheng[.]xyz/p/ |
| http[:]//palinkapatika[.]com/pack/ | http[:]//pescadorsportsgroup[.]com/pkg/ |
| http[:]//portalcalamuchita[.]com[.]ar/pack/ | http[:]//printing-packingshow[.]ir/fedex/ |
| http[:]//raku-plus[.]com/pack/ | http[:]//rpgbundle[.]info/status/ |
| http[:]//sailorcrossfitmdp[.]com/fedex/ | http[:]//skipshopping[.]net/fedex/ |
| http[:]//srinterior[.]co[.]in/pkg/ | http[:]//studiobonazzi[.]eu/fedex/ |
| http[:]//telec[.]com[.]pk/pkg/ | http[:]//teologianaweb[.]com[.]br/pkg/ |
| http[:]//valks3d[.]com[.]br/fedex/ | http[:]//thejoblessemperor[.]in/pkg/ |
| http[:]//www[.]export-barazande[.]com/fedex/ | http[:]//www[.]internetpathshala[.]co/p/ |
| http[:]//www[.]larrecantofeliz[.]com[.]br/fedex/ | http[:]//www[.]old[.]danacadesign[.]com/fedex/ |
| http[:]//www[.]payamesavadkooh[.]ir/pack/ | http[:]//www[.]pudhuveedu[.]in/p/ |
| http[:]//www[.]raeloficial[.]com/pkg/ | http[:]//www[.]recycom[.]gr/pack/ |
| http[:]//www[.]zyzlk[.]com/p | http[:]//www[.]old[.]da/ |
| http[:]//www[.]zyzlk[.]com/pack/ | http[:]//wxz14[.]com/p/ |
| http[:]//xref[.]icu[:]9090/pkg/ | http[:]//yangbin[.]100cuo[.]com/pack/ |
| http[:]//yulu1953[.]cn/fedex/ | https[:]//42sf[.]net/pack/ |
| https[:]//84blog[.]xyz/pkg/ | https[:]//aitao[.]site/pkg/ |
| https[:]//alercehistorico[.]cl/pkg/ | https[:]//amzstudy[.]com/pack/ |
| https[:]//apartners[.]vn/pack/ | https[:]//brighterdaysfi[.]com/fedex/ |
| https[:]//byalex-photography[.]co[.]uk/pack/ | https[:]//cbd-and-epilepsy[.]com/pack/ |
| https[:]//cbd-and-seizures[.]com/p/ | https[:]//contornosdesign[.]pt/pkg/ |
| https[:]//cssincronbucuresti[.]ro/pkg/ | https[:]//delhi[.]tie[.]org/p/ |
| https[:]//dgeneration[.]in/pack/ | https[:]//dumeiwu[.]com/p/ |
| https[:]//elitekidsbookzone[.]sch[.]ng/pack/ | https[:]//escuelaargentina[.]cl/p/ |
| https[:]//fraternitykerala[.]org/pkg/ | https[:]//garveylibertyhall[.]com/pack/ |
| https[:]//getblogour[.]com/fedex/ | https[:]//gladiadoresdevendas[.]com[.]br/pack/ |
| https[:]//hentaivillage[.]com/parcel/ | https[:]//illuminaticult[.]org/fedex/ |
| https[:]//imrt[.]ac[.]in/pack/ | https[:]//imrt[.]ac[.]in/pkg/ |
| https[:]//industrial-land[.]vn/pack/ | https[:]//jexchange[.]ga/pack/ |
| https[:]//kidimy[.]org/pkg/ | https[:]//lacasa-dh[.]nl/pack/ |
| https[:]//londonroofingpros[.]co[.]uk/fedex/ | https[:]//machupicchutraveling[.]com/pkg/ |
| https[:]//mucc[.]com[.]au/p/ | https[:]//mvpmsadhyapak[.]in/p/ |
| https[:]//nakoblog[.]info/fedex/ | https[:]//nen[.]vacad[.]net/pkg/ |
| https[:]//pic[.]tnell[.]com/pkg/ | https[:]//rishipes[.]co[.]nz/pack/ |
| https[:]//ryansa[.]com/pkg/ | https[:]//sdlformazione[.]it/p/ |
| https[:]//sprintintercom[.]com[.]au/fedex/ | https[:]//telugufusion[.]com/pkg/ |
| https[:]//tuyennvtb[.]com/p/ | https[:]//twospoonsfleet[.]co[.]uk/p/ |
| https[:]//visotka[.]in/pack/ | https[:]//weboyal[.]com/p/ |
| https[:]//www[.]admh[.]in/fedex/ | https[:]//www[.]agroescape[.]com/pkg/ |
| https[:]//www[.]divam[.]ir/pack/ | https[:]//www[.]nbkangxi[.]com/pack/ |
| https[:]//www[.]omvshop[.]com/pkge/ | https[:]//www[.]spave[.]com[.]pk/p/ |
| https[:]//www[.]wwworks[.]com[.]au/p/ | https[:]//www[.]ylem222[.]com/p/ |
| https[:]//xatziemmanouiltools[.]gr/pkg/ | https[:]//xn–thvitstore-c7a[.]com/pkg/ |
Mitigation
- Use updated antivirus software that detects and prevents malware infections
- Apply critical patches to the system and application
- Use strong passwords and enable 2FA over logins
- Check the privileges and permission allotted to the user
- Make it easy for users to report suspicious behavior
- Back-up data regularly
- Open source platform recommendation to remove the malware:
