Resurgence in FluBot Malware Attacks

What is FluBot now up to?

• Recent studies on the FluBot banking malware confirmed that there has been a spike in the number of malicious distribution pages affecting a number of Australian, Polish, and German banks.
• The maligned web pages were distributed via text messages impersonating parcel tracking services or voicemail notifications.
• The interesting aspect of these campaigns involved the manner in which FluBot used the overlay of multiple popular banking apps to steal user credentials.
• Moreover, researchers discovered that the malware used a Domain Generation Algorithm (DGA) to stay under the radar during the infection process.

The interesting aspect of overlaying the apps

• The malicious pages that pretend to be fake voicemail notifications or parcel delivery services are actually controlled by C2 servers handled by attackers.
• The users are asked to download a FluBot APK on the pretext of tracking their package or to listen to the voicemail.
• Once installed, the infected devices contact a C2 server by executing the DGA, and download overlays for banking applications installed on victims’ devices.
• This technique enabled the attackers to take over apps related to Consorsbank, N26, Sparda, VR Banking Classic that have more than 20 million downloads. Among the other affected banks are Bank Millenium, BNP Paribas, Getin Bank, and Plusbank24.

Countermeasures