FluBot Spyware Spreads Across EuropeProofpoint: Malware's Operators Rebound After Arrests
FluBot Android spyware is once again spreading throughout Europe following a temporary dip in activity in March after police arrested four suspects allegedly involved in the campaign, according to researchers at Proofpoint.
The malware's operators are working methodically, striking one country after another using thousands of devices under their control to send malicious phishing SMS messages, the security firm reports.
Proofpoint is uncertain why the attackers, whose identity is not known, chose text messages rather than emails for their distribution methodology.
"Reasons could include threat actor capacity and capability limitations," says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. "Matching language, geography and appropriate social engineering improves the threat actor’s chances of getting their target to take the action they want – in this case, clicking on the link and installing the FluBot malware.”
The spyware was first spotted in November 2020. In the last month, Proofpoint has tracked FluBot campaigns in the U.K., Germany, Hungary, Italy, Poland and Spain.
"We still do not see campaigns of FluBot in the U.S. We are watching closely to see if this threat comes to North America in broad campaigns," DeGrippo says.
The malware gang started sending text messages from Germany, written in German, to U.K. residents. Now, the attackers are using 700 domains for an English-language campaign targeting the U.K.
"The German-language messages were turned off once the U.K. messages were established, indicating a conscious effort to spread FluBot from country to country," Proofpoint says.
So far, the campaign has infected about 7,000 British devices, and the gang has sent tens of thousands of malicious texts per hour, the researchers say. Some individuals are receiving several FluBot-infected messages at a time.
FluBot's Attack Chain
Proofpoint says the gang behind FluBot has updated the malware several times. But all the campaigns follow the same pattern.
The target receives an SMS text message portrayed as being from FedEx, DHL or another delivery firm stating that a package awaits them and they should click on a link to find out the package's arrival time. Once the link is clicked, the malware download process begins.
In addition to displaying delivery services' logos, the malware also contains legitimate-looking Android Packaging, or APK, files with FluBot encrypted and embedded inside to help bypass security.
"FluBot v3.7 uses package names of com.tencent.mobileqq and com.tencent.mm with FedEx, DHL, and Correos lures while v4.0 uses a package name of com.eg.android.AlipayGphone with DHL lures," Proofpoint says.
After the malicious APK is installed, FluBot still does not have full access to the device. So the attackers trick the victim into providing additional permissions to obtain information about their delivery through a series of pop-up notices that appear on the phone asking for permission to observe the victim's actions on the device, retrieve window content and turn on notification access.
Once the victim grants the permissions, FluBot is installed. It acts as spyware, an SMS spammer and a credit card and banking credential stealer, Proofpoint says. When reaching out to the attackers' command-and-control server, the malware sends the victim's contact list and retrieves an SMS phishing message and number to continue its spread using the victim's device.
In the most recent version of FluBot, operators have improved its ability to communicate with the command-and-control servers, Proofpoint says.
The attackers use a domain-generation algorithm to generate a list of domains to try until the malware finds one it can reach. Using this method, the attackers can quickly switch the domains they are using for command and control as they become blocked or taken down, the report says.