FluBot is expanding and has lately begun to target applications for credit by the German and Polish banks. This was observed only one day after the Australian banks were found to be targeted.
What Transpired?
Attackers are disseminating new overlays with which some Polish and German banks have already been targeted.
- Fake interfaces spoof the login form of the application in recent assaults and are displayed to users while using the application. Any credentials entered in an overlay will be forwarded to a C2 server.
- A number of German apps were targeted between 10 and 13 August, including SpardaApp, Consorsbank, Sparkasse, its mobile subsidiary, N26-The Mobile Bank, and VR Banking Classic.
- Several Polish banking apps, such as mBank PL, BNP Paribas Gomobile, Getin Mobile, IKO, Moje ING Mobile, plusbank24, Santander mobile, and Bank Millennium, were targeted on 12 August.
- FluBot spreads using text messages to the pages hosted on an infected web server with links to pages. These messages are not translated as voice mail or tracking systems of parcels.
This malware imitated postal and logistics services apps earlier in June, in an attempt to lure its victims.
The Analysis
Researchers demonstrated that attackers use C2 servers to handle them when analyzing the sites in which lure is found.
- The HTML content for the lure website and also the FluBot application in.apk file are provided by C2 infrastructure. They can react or move to a valid site with an empty reply, making identification difficult.
- FluBot requests a user to authorize accessibility permissions once installed. It controls the device once granted and allows other rights to prevent uninstallation.
- In order to build a list of C2 domains, FluBot uses a Domain Generation Algorithm, so it can switch over time from the active C2 domains.
- Each C2 domain was found to lead to ten separate servers. This method also protects or gives FluBot’s C2 infrastructure an added level of security.
FluBot is active and aims at Europe, however, it is speculated that other locations may have been affected as well. To safeguard smartphone users our internal experts suggest, access to the known FluBot luring sites should be restricted. In addition, bankers should avoid using message links or third-party sources to download programs.
To read more, please check eScan Blog
