FluBot Malware Threat Intel Advisory

###### Advisory Malware Advisory
###### Type Credential Stealer, Android Malware
###### Name FluBot malware
###### Affected Industries Banking

A newly discovered Android malware, dubbed FluBot, impersonates Android mobile banking applications to draw fake webview on targeted applications. The malware primarily focuses on stealing credit card details or online banking credentials, apart from personal data.

Execution

FluBot is distributed via SMS and can eavesdrop on incoming notifications, initiate calls, read or write SMSes, and transmit the victim’s contact list to its control center. It infects Android devices by posing as FedEx, DHL, Correos, and Chrome applications and forces the unsuspecting user to change the Accessibility settings on the device so as to maintain persistence on the device.

It leverages fake login screens of prominent banks. Once the user enters their login details on these phony pages, the data is immediately sent to the malware operator’s control center. Which the malware operators easily exploit. It intercepts all banking-related OTPs by replacing the default SMS app on the targeted device. Thus, it receives access keys sent via SMS. Furthermore, it sends similar SMSes to other contacts, on the target device, to lure them into downloading the fake app.

In a span of 2 months, the FluBot malware strain infected over 60,000 devices. Around 97% of its victims are located in Spain. Moreover, it has access to mobile phone numbers of around 11 million Spanish citizens.

Impact

Business Impact
  1. Financial loss to the organization/ individual if its operations are interrupted
  2. Loss of brand reputation
  3. Compromised PII leads to social engineering attacks
Technical Impact

The malware creates a backdoor which grants access to the user’s device. This enables the attacker to perform malicious operations and even launch other malware variants.

Indicators of Compromise

SHA1
  1. 1dd0edc5744d63a731db8c3b42efbd09d91fed78
  2. 325f24e8f5d56db43d6914d9234c08c888cdae50
  3. 479f470e83f9a5b66363fba5547fdfcf727949da
  4. 659cbdf9288137937bb71146b6f722ffcda1c5fe
  5. 6616de799b5105ee2eb83bbe25c7f4433420dff7
  6. a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
  7. affa12cc94578d63a8b178ae19f6601d5c8bb224
  8. c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
  9. e094dd02cc954b6104791925e0d1880782b046cf
  10. fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
SHA256
  1. 30937927e8891f8c0fd2c7b6be5fbc5a05011c34a7375e91aad384b82b9e6a67
  2. 1eb54ee1328ad5563e0e85a8ecff13cd2e642f5c6fc42e0e1038aeac0ee8cf2f
  3. 2277d20669267bbe9ff8a656258af0a33563c18c45cef3624eab67cf123c29a7
  4. 3bb0dbdb9ec7822dc53af230de0bdb908a558993619ac788c90eeeb5af6a1e14
Active C&C server domains
  1. xjnwqdospderqtk[.]ru
  2. nfiuerwtftasnuk[.]com



image

Mitigation

  1. Use updated antivirus software that detects and prevents malware infections
  2. Apply critical patches to the system and application
  3. Use strong passwords and enable 2FA over logins
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly
  7. Open source platform recommendation to remove the malware: