A new malicious campaign has been discovered spreading an improved version of the FluBot malware. Since October 2021, FluBot operators have been using fake security updates to fool victims into installing malicious code. The attackers used fake security warnings to install the security updates.
How does the campaign work?
Experts observed a smishing campaign targeting Polish users using a message urging them to click on a link to view a video.
- The victim receives an SMS message laden with a link to a malicious URL. When the victim clicks the link, they are asked to install a fake Flash Player APK containing FluBot.
- After downloading the malicious app, it eventually installs FluBot and accesses the contact list, and uploads it to the C2 server.
- FluBot downloads the new contact list to target and sends SMSes to the new list of target contacts.
About the new updates
- The FluBot version 5.2 comes with important improvements including the implementation of a new UPDATE_ALT_SEED command to change the domain generation algorithms (DGA) seed remotely. The malware stores the updated seed inside the shared preferences under ‘g’ key.
- This feature has allowed actors to avoid DNS blocklists in order to isolate the C2 infrastructure.
- Moreover, the DGA mechanism in the new version uses 30 top-level domains instead of the three used in earlier versions.
Conclusion
The newer version of FluBot is quite sophisticated, indicating that the operators have put in a lot of effort. Thus, to stay protected from such threats, organizations should implement anti-malware solutions, network firewalls, and behavior-based detection. Moreover, its advised to leverage Indicators of Compromise (IoCs) for better detection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_154553570.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/b426_shutterstock_1297169209.jpg)
