FluBot malware targets Europe by disguising as a flash player app

February 4, 2022
FluBot Malware Europe Flash Player Mobile App APK Smishing Cyberattack Campaign

The abundantly used FluBot malware continues to upgrade itself, and this time, researchers have seen them targeting users in Europe by disguising as a flash player app with new features.

The FluBot operators bait their victims by distributing fake Adobe Flash Players, pretending as parcel delivery notices, voicemail memos, and phoney security updates. Once in the device, FluBot can send or obstruct SMS messages, screen record, capture screenshots, and gather online banking information.

Researchers also noted that the malware utilises the target’s device to send new smishing messages to all of the victims’ contacts, which is why it has a fast distribution rate.

 

The new FluBot malware is spread by threat actors using SMS texts asking the receiver if they are willing to upload a video online from their device.

 

When a receiver clicks on the attached link in the SMS text, they are redirected to a page that offers a faulty fake flash player APK that installs the FluBot malware on the Android device instead of a legit media player app.

The latest release of this fake flash player is version 5.0, while there is an upcoming version 5.2 developed by the FluBot hackers.

The domain generation algorithm (DGA) system received attention from the malware developers as it is crucial in allowing the actors to operate smoothly. DGA also generates new C2 domains instantly, rendering the DNS blocklists feature useless.

FluBot’s domain generation algorithm utilises 30 top-level domains instead of just three used in the past in its latest version. It also features an instruction that allows the threat actors to change the seed from afar.

The latest version of FluBot now links to the C2 via DNS tunnelling over HTTPS on the communication capability.

The instructions added on the latest FluBot are extremely dangerous since most of them tamper with the privacy of the device user, such as performing calls on demand, disabling Google Play Protect, intercepting messages, sending SMS, collecting all the contact in the list, and more.

The FluBot malware has not removed any commands from its previous version; instead, it added numerous new features to improve the quality of its attack. The malware is slowly growing since it constantly upgrades its arsenal, making it a very menacing malware.

About the author