The FluBot it’s an Android malware that targets Android devices and spreads into victims via phishing SMS messages that contains the malicious link to download the FluBot app. Victims click on this link and then download a file with an .apk extension. Right after the installation process completed, the FluBot malware communicates with the command control (C2) server and runs arbitrary codes into Android device remotely.

As a result of the analyzes performed, it was determined that the FluBot malware was able to send SMS, read incoming text messages, kill background applications, and access the phone contact lists on the victim device remotely.

After the installation of FluBot, the malware itself (fake DHL application that’s contain malware) requests some special permissions from victim device. If victim gives these permissions and rights, the malware executes Phishing form in order to collect Banking Information from victim, these data contains (Name-Surname, CVV, Card Number , etc.). If the victim is tricked by attackers and enter these data, it will be uploaded in an unencrypted way into attackers Command And Control server.

 

 Fake DHL SMS notification message (Phishing)

flubot

 

 

In another example, FluBot malware was installed via Phishing SMS message that is contains malicious link. Victim opens this link and gets tricked by attackers to download fake FedEx app (The screenshot of the phishing sample page is as follows.)

fedex

 

Spreading Frequency & Victim Countries

FluBot malware attacks are mostly spread in European Countries. After the COVID pandemic, attackers has abused package delivery services as a phishing tool, so FluBot has a very rapid spreading in such a short time.

malware analysis

 

FluBot Technical Analysis

After the FluBot malware is downloaded, it asks for user approval to give “full access” authorization in the device for FluBot. Malware continues to run in the background even if the target user closes the application after the approval is given by the target user.

technical analysis fedex apk

 

The permission list of the “com.eg.android.AlipayGphone” (FluBot) malware running in the background is as follows:

  • android.permission.INTERNET
  • android.permission.READ_CONTACTS 
  • android.permission.WRITE_SMS 
  • android.permission.READ_SMS 
  • android.permission.SEND_SMS
  • android.permission.RECEIVE_SMS
  • android.permission.READ_PHONE_STATE
  • android.permission.QUERY_ALL_PACKAGES 
  • android.permission.WAKE_LOCK 
  • android.permission.FOREGROUND_SERVICE 
  • android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
  • android.permission.CALL_PHONE
  • android.permission.REQUEST_DELETE_PACKAGES     
  • android.permission.KILL_BACKGROUND_PROCESSES
  • android.permission.ACCESS_NETWORK_STATE

 

The malware that accesses it with the above permissions becomes able to perform the following actions:

  • Internet access.
  • SMS Reading / Sending.
  • Reading the phone book.
  • Making a Call.
  • Deleting apps from within the device.
  • Ability to use the accessibility service.
  • Reading device notifications.

 

The target user’s Android device is now in constant communication with the attacker’s command control server. As a result of our analysis, it has been determined that this communication could be continue over the SOCKS Proxy according to the attacker’s request.

malware

 

String Obfuscation

The FluBot malware uses the open-source String obfuscator software called Paranoid to make it difficult to examine and easier to bypass anti-virus software, so the malware is given the ability to hide the string data during it’s working phase.

Obfuscated String data:

  • BotId
  • BrowserActivity
  • CardActivity
  • ComposeSmsActivity
  • ContactItem
  • DGA
  • ForegroundService
  • HttpCom
  • IntentStarter
  • LangTxt
  • MainActivity
  • MyAccessibilityService
  • MyNotificationListener
  • PanelReq
  • SmsReceiver
  • Spammer
  • Utils
  • SocksClient
  • PanelReq

 

 flubot andorid

 

String De-obfuscate

String data of the FluBot malware are hidden by the attackers, Obfuscated String data must be De-obfuscated for the correct analysis results. An open source Java software was used for this process.

malware

When the Java software was run in order to crack the data, the data in the chunks37 array is understood with a mathematical function and is converted into normal string data. As can be seen on the right, there are String data used in the phishing phase of different languages in the output data. (Card Number, CVV, Owner, Year etc.)

malware analysis

 

Command And Control (C2 Server)

The newest version of the FluBot malware has emerged as 4.0. After FluBot infects the target Android device, it creates a domain consisting of random numbers and letters with the help of an algorithm called Domain Generation Algorithm (DGA) to connect with the attacker, and thus the command control servers of the attackers can be hidden from bot softwares. The connection is done in the form of DNS or DNS over HTTPS, especially in the 4.0 version. Thus, when the malware sends connection request packets to the target device, it avoids the firewall, EDR or Anti-Virus systems.

The rise that started on 2021-01-22 was realized with the 4.0 version.

malware

The Google DNS feature has been abused by the attackers, so Google DNS is used as a tunnel and connection requests are made to the attacker’s Command and Control servers via DNS. The screenshot of HTTP requests is below.

requests

Command And Control servers created with DGA:

dns

 

The function that performs the connection request made via “poll.php” belonging to FluBot 4.0 version, can remotely run commands (PING, LOG, SMS_RATE, GET_SMS etc.) over the attacker C2 server.

andorid

As a result of our analysis, the decompiled function tasked with providing the DNS over HTTPS connection for the FluBot malware to access the target device remotely is given in the picture  below.

This method of attack has been chosen especially for targets in Britain and United States. The most important difference is that in a different example of the FluBot 4.0 malware, the attackers can have chosen Cloudflare DNS instead of Google DNS to get connections.

malware

 

Another feature of the FluBot Malware is being able to perform country-specific attacks using country-based codes found on mobile phone numbers. During the phishing attack, the cargo services and the language spoken in that country are taken into consideration by the attackers and an appropriate interface is chosen that way.

hacking

 

It steals information such as credit card number, CVV, device information from the target user.

malware

After the target user deceive (with the phishing method) enters this information into the form interface in the FluBot malware, String data is transmitted to the attackers with the help of “GetCredential_A05” function.

flubot analysis

The form (Phishing form) for the data requested by the FluBot malware from the target user is in the image below.

play verification

FluBot 3.7 Version of HTTP Traffic Analysis

To capture the HTTP connection with Burp Suite Proxy, JavaScript code is injected into the malicious software by using Frida, thus the connection can be captured, and Android SSL Pinning is bypassed. When the connection wass examined, it is observed that connection requests is sent from the target device with string data encoded with base64 over poll.php. Attackers can communicate with the victim device instantly with POST and GET requests.

http connections

IOC Data

FluBot v3.7

Phishing Correos Hash Data
446833e3f8b04d4c3c2d2288e456328266524e396adbfeba3769d00727481e80
bb85cd885fad625bcd2899577582bad17e0d1f010f687fc09cdeb8fe9cc6d3e1
8c14d5bc5175c42c8dd65601b4964953f8179cfe5e627e5c952b6afd5ce7d39d
Phishing Fedex Hash Data
a601164199bbf14c5adf4d6a6d6c6de20f2ab35ec7301588bceb4ee7bb7d1fdc
f0fa95c3b022fb4fee1c2328ffbc2a9567269e5826b221d813349ebf980b34da
07ba6893c4ffc95638d4d1152f7c5b03aca4970474a95bf50942c619aa4382ae
ca5ba6098a2a5b49c82b7351920966009a99444da4d6f6e5a6649e5e2aeb3ff8
8be8576c742f31d690d449ab317b8fb562d03bc7c9dc33fa5abf09099b32d7a0
Phishing DHL Hash Data
54ecabbff30b05a6a97531f7dec837891ce49ae89878eaf38714c1874f5f1d15
c3838f9544e613917068f1b2e22ab647fd5a60701e1045b713767a92cf79f983
ab29813b1da1da48b4452c849eedc35b6c52044946d39392530573c540916f74

 

FluBot v4.0

Phishing DHL Hash Data
3a4bdcb1071e8c29c62778101b7ae8746f3ee57cb1588e84d7ee1991964703e6
22025590bbb4d3a30658fea45a936b6a346479c83d1c35f85521a1ac564342a0
774acbfbedd2a37e636f6251af84a7abb2e64c2db9d6de5ce0fec4121064ea49
3bf82acb8d511bfef3e083b73136824aab3612b516f150d916fe351b7e5bc9d3
9b9b67a2b9ec5a15044430a9f5d9ce6a7f524e1feed186a96309256df686cfdd
8bb8b1a1dc1487db610700f6b59ea4ab44ddc2f52e0eca06f8d1da663b312b58