The FluBot it’s an Android malware that targets Android devices and spreads into victims via phishing SMS messages that contains the malicious link to download the FluBot app. Victims click on this link and then download a file with an .apk extension. Right after the installation process completed, the FluBot malware communicates with the command control (C2) server and runs arbitrary codes into Android device remotely.
As a result of the analyzes performed, it was determined that the FluBot malware was able to send SMS, read incoming text messages, kill background applications, and access the phone contact lists on the victim device remotely.
After the installation of FluBot, the malware itself (fake DHL application that’s contain malware) requests some special permissions from victim device. If victim gives these permissions and rights, the malware executes Phishing form in order to collect Banking Information from victim, these data contains (Name-Surname, CVV, Card Number , etc.). If the victim is tricked by attackers and enter these data, it will be uploaded in an unencrypted way into attackers Command And Control server.
Fake DHL SMS notification message (Phishing)
In another example, FluBot malware was installed via Phishing SMS message that is contains malicious link. Victim opens this link and gets tricked by attackers to download fake FedEx app (The screenshot of the phishing sample page is as follows.)
Spreading Frequency & Victim Countries
FluBot malware attacks are mostly spread in European Countries. After the COVID pandemic, attackers has abused package delivery services as a phishing tool, so FluBot has a very rapid spreading in such a short time.
FluBot Technical Analysis
After the FluBot malware is downloaded, it asks for user approval to give “full access” authorization in the device for FluBot. Malware continues to run in the background even if the target user closes the application after the approval is given by the target user.
The permission list of the “com.eg.android.AlipayGphone” (FluBot) malware running in the background is as follows:
The malware that accesses it with the above permissions becomes able to perform the following actions:
- Internet access.
- SMS Reading / Sending.
- Reading the phone book.
- Making a Call.
- Deleting apps from within the device.
- Ability to use the accessibility service.
- Reading device notifications.
The target user’s Android device is now in constant communication with the attacker’s command control server. As a result of our analysis, it has been determined that this communication could be continue over the SOCKS Proxy according to the attacker’s request.
The FluBot malware uses the open-source String obfuscator software called Paranoid to make it difficult to examine and easier to bypass anti-virus software, so the malware is given the ability to hide the string data during it’s working phase.
Obfuscated String data:
String data of the FluBot malware are hidden by the attackers, Obfuscated String data must be De-obfuscated for the correct analysis results. An open source Java software was used for this process.
When the Java software was run in order to crack the data, the data in the chunks37 array is understood with a mathematical function and is converted into normal string data. As can be seen on the right, there are String data used in the phishing phase of different languages in the output data. (Card Number, CVV, Owner, Year etc.)
Command And Control (C2 Server)
The newest version of the FluBot malware has emerged as 4.0. After FluBot infects the target Android device, it creates a domain consisting of random numbers and letters with the help of an algorithm called Domain Generation Algorithm (DGA) to connect with the attacker, and thus the command control servers of the attackers can be hidden from bot softwares. The connection is done in the form of DNS or DNS over HTTPS, especially in the 4.0 version. Thus, when the malware sends connection request packets to the target device, it avoids the firewall, EDR or Anti-Virus systems.
The rise that started on 2021-01-22 was realized with the 4.0 version.
The Google DNS feature has been abused by the attackers, so Google DNS is used as a tunnel and connection requests are made to the attacker’s Command and Control servers via DNS. The screenshot of HTTP requests is below.
Command And Control servers created with DGA:
The function that performs the connection request made via “poll.php” belonging to FluBot 4.0 version, can remotely run commands (PING, LOG, SMS_RATE, GET_SMS etc.) over the attacker C2 server.
As a result of our analysis, the decompiled function tasked with providing the DNS over HTTPS connection for the FluBot malware to access the target device remotely is given in the picture below.
This method of attack has been chosen especially for targets in Britain and United States. The most important difference is that in a different example of the FluBot 4.0 malware, the attackers can have chosen Cloudflare DNS instead of Google DNS to get connections.
Another feature of the FluBot Malware is being able to perform country-specific attacks using country-based codes found on mobile phone numbers. During the phishing attack, the cargo services and the language spoken in that country are taken into consideration by the attackers and an appropriate interface is chosen that way.
It steals information such as credit card number, CVV, device information from the target user.
After the target user deceive (with the phishing method) enters this information into the form interface in the FluBot malware, String data is transmitted to the attackers with the help of “GetCredential_A05” function.
The form (Phishing form) for the data requested by the FluBot malware from the target user is in the image below.
FluBot 3.7 Version of HTTP Traffic Analysis
|Phishing Correos Hash Data|
|Phishing Fedex Hash Data|
|Phishing DHL Hash Data|
|Phishing DHL Hash Data|