Flubot Smishes Polish !

Researchers are warning of a new enhanced version of the FluBot Android malware that that spread posed as Flash Player. A recent SMISHING campaign spotted targeting Polish users with a messaging asking them if to click on a link to view a video. Upon clicking on the link, recipients are redirected to a page offering a fake Flash Player APK that delivers the FluBot malware on the Android device.

Flubot has been active since late 2020, it was first observed targeting Spanish users. Since March 2021, the malicious code was also employed in attacks aimed at several European countries as well as Japan.

Advertisements

Threat actors leveraging fake security updates to trick victims into installing the malicious code. The attackers use fake security warnings of Flubot infections and urge them to install the security updates.

The following chart shows the FluBot infection chain, the malicious code start spreading using the initial victim’s contact list.

The victim received an SMS message that includes a link to a malicious URL.
The victim clicks the link and is prompted to install an app.
The victim downloads and opens the malicious app that installs FluBot.
FluBot accesses the victim’s contact list and uploads it to the C2 server.
FluBot downloads a list of new contacts to target.
FluBot sends SMS messages to the new list of target contacts, thus propagating FluBot.

Flubot version 5.2 has important improvements, such us the implementation of a new command, UPDATE_ALT_SEED, to allow operators to change the domain generation algorithms seed remotely.

“In version 5.2 a new command, UPDATE_ALT_SEED, is introduced. It enables the attackers to change the DGA (domain generation algorithms) seed remotely. Once such a command is dispatched, FluBot stores the updated seed inside the shared preferences under “g” key.”
Researchers statement

The feature allows operators to elude DNS blocklists in an attempt to isolate the C2 infrastructure. Experts also noticed that the new version the DGA mechanism uses 30 top-level domains instead of just three used in previous versions.

In version 4.9, FluBot communicated directly with the server using HTTPS port 443. In FluBot version 5.0, the malware communicates with the C2 server through DNS Tunneling over HTTPS.

The new version supports a long list of commands including:

UPDATE_DNS_SERVERS: New in Version 5.0 –
UPDATE_ALT_SEED
NOTIF_INT_TOGGLE – Notification Interception
GET_SMS: Propagation Through SMS
GET_SMS: Propagation Through SMS, Version 5.2
RELOAD_INJECTS: Injections and Overlays
UPLOAD_SMS: SMS Logging
SMS_INT_TOGGLE: SMS Interception
GET_CONTACTS: Contact List Logging
DISABLE_PLAY_PROTECT
Run USSD: Recharge Using Phone Call
Disable Battery Optimization
Keylogger/Screen Grabber
UNINSTALL_APP
OPEN_URL: Opens a URL on the Device
SEND_SMS: Sends SMS Messages on Demand

Indicators of Compromise

Version 4.9 – Malware APK e93a4e8bec4e2bf47157e55be150c8fb62c38cd4ca180b473f53259fa44cdd48(
Version 5 – Malware APK 4bf1e7a6e5febfb345b13a596b954e50c59d9506046592d39d4a6e9f01dfea53
Version 5.1 – Malware APK
1dc84f5f1ee6daf33f5da0d0d82f252c64274a771c6214170eae441d18447fea
Version 5.2 – Malware APK
4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c