Cybercrime , Fraud Management & Cybercrime , Social Engineering

FluBot Spyware Spreads Across Europe

Proofpoint: Malware's Operators Rebound After Arrests
FluBot Spyware Spreads Across Europe
A sample of the text message lures used by FluBot in different countries (Source: Proofpoint)

FluBot Android spyware is once again spreading throughout Europe following a temporary dip in activity in March after police arrested four suspects allegedly involved in the campaign, according to researchers at Proofpoint.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The malware's operators are working methodically, striking one country after another using thousands of devices under their control to send malicious phishing SMS messages, the security firm reports.

Proofpoint is uncertain why the attackers, whose identity is not known, chose text messages rather than emails for their distribution methodology.

"Reasons could include threat actor capacity and capability limitations," says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. "Matching language, geography and appropriate social engineering improves the threat actor’s chances of getting their target to take the action they want – in this case, clicking on the link and installing the FluBot malware.”

The spyware was first spotted in November 2020. In the last month, Proofpoint has tracked FluBot campaigns in the U.K., Germany, Hungary, Italy, Poland and Spain.

"We still do not see campaigns of FluBot in the U.S. We are watching closely to see if this threat comes to North America in broad campaigns," DeGrippo says.

The malware gang started sending text messages from Germany, written in German, to U.K. residents. Now, the attackers are using 700 domains for an English-language campaign targeting the U.K.

"The German-language messages were turned off once the U.K. messages were established, indicating a conscious effort to spread FluBot from country to country," Proofpoint says.

So far, the campaign has infected about 7,000 British devices, and the gang has sent tens of thousands of malicious texts per hour, the researchers say. Some individuals are receiving several FluBot-infected messages at a time.

FluBot's Attack Chain

Proofpoint says the gang behind FluBot has updated the malware several times. But all the campaigns follow the same pattern.

The target receives an SMS text message portrayed as being from FedEx, DHL or another delivery firm stating that a package awaits them and they should click on a link to find out the package's arrival time. Once the link is clicked, the malware download process begins.

In addition to displaying delivery services' logos, the malware also contains legitimate-looking Android Packaging, or APK, files with FluBot encrypted and embedded inside to help bypass security.

"FluBot v3.7 uses package names of com.tencent.mobileqq and with FedEx, DHL, and Correos lures while v4.0 uses a package name of with DHL lures," Proofpoint says.

The pop-up notices that attempt to gain more permissions for the malware (Source: Proofpoint)

After the malicious APK is installed, FluBot still does not have full access to the device. So the attackers trick the victim into providing additional permissions to obtain information about their delivery through a series of pop-up notices that appear on the phone asking for permission to observe the victim's actions on the device, retrieve window content and turn on notification access.

Once the victim grants the permissions, FluBot is installed. It acts as spyware, an SMS spammer and a credit card and banking credential stealer, Proofpoint says. When reaching out to the attackers' command-and-control server, the malware sends the victim's contact list and retrieves an SMS phishing message and number to continue its spread using the victim's device.

FluBot Update

In the most recent version of FluBot, operators have improved its ability to communicate with the command-and-control servers, Proofpoint says.

The attackers use a domain-generation algorithm to generate a list of domains to try until the malware finds one it can reach. Using this method, the attackers can quickly switch the domains they are using for command and control as they become blocked or taken down, the report says.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.