Last Updated on 08/01/2022 by Nidhi Khandelwal
FluBot is a banking malware for Android that steals passwords by presenting overlay login forms against a variety of banks throughout the world.
Fake security upgrades, fake Adobe Flash Players, voicemail messages, and imitating parcel delivery alerts are among the smishing (SMS phishing) lures used to spread it.
FluBot can steal online banking credentials, send or intercept SMS messages (including one-time passwords), and grab screenshots after it has gained access to the device.
The malware spreads quickly because it utilizes the victim’s device to send new smishing messages to all of their contacts.
New FluBot campaigns are transmitted using SMS texts asking the receiver if they meant to submit a video from their device, according to MalwareHunterTeam, which contacted BleepingComputer.
CSIRT KNF shared an example of this campaign’s SMS text for Polish receivers, which may be seen below.
Version 5.0, which was released in early December 2021, is the most recent major release, whereas version 5.2 was just released a few days ago.
The malware developers paid close attention to the DGA (domain generation algorithm) system with this release, as it is critical in allowing the actors to operate freely.
On the communication side, the new FluBot now connects to the C2 through DNS tunneling over HTTPS, rather than straight HTTPS port 443, as it did previously
DNS resolvers should be updated. Remotely update the DGA seed use multi-part division features to send lengthier SMS messages.
