FluBot is expanding its operations and recently, it started targeting finance applications belonging to Polish and German banks. This was observed just a day after it was found targeting Australian banks.

What happened?

Attackers are propagating new overlays that have already targeted multiple Polish and German banks. 
  • In recent attacks, fake user interfaces impersonate the app's login form and are displayed to the users when they use the app. Any entered credentials in an overlay screen are sent to a C2 server. 
  • Between 10 and 13 August, several German apps were targeted, including SpardaApp, Consorsbank, Sparkasse Ihre mobile Filiale, N26-The Mobile Bank, and VR Banking Classic. 
  • On 12 August, several Polish banking apps were targeted, including mBank PL, BNP Paribas GOMobile, Getin Mobile, IKO, Moje ING mobile, plusbank24, Santander mobile, and Bank Millennium.
  • FluBot spreads via text messages with links to lure pages that are hosted on an infected web server. These messages are impersonated as voicemail notifications or parcel tracking services. 

Earlier, in the month of June, this malware was seen imitating postal and logistic service apps to lure its victims.

Malware analysis 

During the analysis of the lure sites, researchers revealed that attackers are using C2 servers to manage them. 
  • The C2 infrastructure serves the HTML content of the lure site, as well as the FluBot application in the .apk format. It can respond with an empty response or redirect to a valid site, making detection challenging.
  • Once installed, FluBot asks a user to allow accessibility-related permissions. Once permitted, it controls the device and allows other permissions to prevent itself from being uninstalled.
  • FluBot employs the Domain Generation Algorithm algorithm to produce a list of C2 domains. It allows the active C2 domains to switch over time.
  • Each C2 domain was discovered to lead to ten different compromised servers. This tactic further protects or provides an extra level of security to FluBot’s C2 infrastructure.

Conclusion

FluBot is still active and targeting Europe, although it might have also affected other locations. For protection, smartphone users should restrict access to known FluBot lure sites. Moreover, banking users should avoid downloading apps from message links or third-party sources.

Cyware Publisher

Publisher

Cyware