Cyble-FluBot-Malware-Spreading-Across-New-Zealand

FluBot V4.9 Spreading across New Zealand

Cyble Research Labs discovered a sample of a FluBot malware variant during a routine threat-hunting exercise. The variant names itself “Android Security Update“, to deceive users into thinking that the malware is genuine. FluBot is a variant of malware that takes control of devices, collects sensitive information, and even sends messages to the victims’ contacts.

To distribute the malware, the software leverages a technique called Smishing (a hybrid of SMS and Phishing) attacks. In the case of phishing, attackers send phony emails that mislead recipients into opening malware-laden attachments or clicking on harmful links. In Smishing, emails are substituted by text messages.

The renowned Flubot Android banking Trojan adopts a wicked trick up its sleeve to target New Zealand (NZ) users. It deceives NZ users into downloading a false “ Android Security Update” app by warning them about… FluBot itself.

The link directs the user to a page that either instructs them to download a package tracking app or informs them that their phones have been infected with FluBot and that they should download anti-FluBot software.

If users follow the link in the text message, they are presented with a bright red screen that states, “Your device is infected with the FluBot malware.” “Android has identified an infection on your smartphone.

The notification by itself doesn’t infect the user’s device, but if users follow the directions in the message, the malicious program then redirects users to a download page that tricks them into installing it on their device, which later compromises the device.

Figure 1 Installation page for FluBot
(Source: cert.govt.nz)

The malware sample was downloaded and thoroughly examined by Cyble Research Labs. We discovered that the FluBot variant spreading through this campaign is version “V4.9,” which has code functionalities identical to “V4.8” and performs suspicious activities like accessing Contact data, SMS data, and device alerts.

Figure 2 FluBot Version

Technical Analysis

APK Metadata Information:

The metadata information of the downloaded and analyzed sample is shown in Figure 3.

Figure 3 Metadata Information of the APK file

Manifest Data:

The malware requests multiple dangerous permissions such as SEND_SMS, READ_PHONE_STATE, CALL_PHONE, RECEIVE_SMS, READ_CONTACTS, and READ_SMS. Upon granting these permissions, the malicious app can perform the below activities:

  • The application asks the users to turn on the Accessibility service.
  • The application asks for complete control of the device.
  • The application asks the users to allow access to notifications.
  • The application asks the users to allow it to replace the default SMS app – Once it gets this permission, the application can handle SMS data.
  • The applications can read contacts from the compromised device and uploads them to its server.
  • The application can access incoming and stored messages from the victim’s device. Additionally, it can also send and delete SMS data.
  • The application can kill the background process of other apps.
Figure 4 Flow Representation of Application Functionalities

Upon reviewing the application’s code, the application has multiple entry points declared in the manifest file. “com.miniclip.carrom.g” is the application subclass and main entry point of the malicious app, which initially loads upon launching the app.

Figure 5 Manifest Information of the APK file

Upon further inspection, we noticed that MainActivity, MainReceiver, and other classes from the manifest file are missing from the APK file. The malware uses a custom packer to evade signature-based detection.

With the help of this custom packer, the fake app hides these classes inside a DEX file. The DEX file is encrypted and saved in the assets section of the APK.

During the execution phase, the malicious app unpacks and loads the classes from the DEX file. We were able to decrypt the DEX file through reverse engineering. This code is depicted in the diagram below.

Figure 6 Decryption Code Used for Embedded Dex File

Common Functionalities of the FluBot App:

Compared to the earlier versions of FluBot, we observed some of the data collected by the malware app after compromising the victim’s device analysis is as below:

  • Code snippet of the app that can read and collect contact data is shown in the below figure.
Figure 7 Reads and Collects Contact Data

  • The malware can also send text messages as shown below.
Figure 8 Sending Text Messages

  • Upon enabling notification access by the user, the malware reads/steals the incoming notifications and cancels them without user interaction or knowledge.
Figure 9 Steals and Cancels Notifications on Enabling Notification Access

Commands Used by FluBot App:

Generally, FluBot malware performs malicious activities by receiving commands from Command-and-Control servers (C&C). The commands in the sample analyzed by Cyble Research labs are encrypted via custom implementation of XOR and are listed below:

CommandsDescription
UNINSTALL_APPRemoves the application by referring to package
SMS_INT_TOGGLEIntercepts SMS
SOCKS**Configures Socks Proxy for redirection
BLOCKBlocks Notification
UPLOAD_SMSUploads the collected SMS data
OPEN_URLTo the Load the WebView page
NOTIF_INT_TOGGLEIntercepts Notification
RUN_USSDTo access and perform call-related functions
DISABLE_PLAY_PROTECT**Deactivating Play Protect security for Device
RELOAD_INJECTSTo update new overlays in the malware
SEND_SMSText Messages Sent
GET_CONTACTSReads and Collects the Contact data
RETRY_INJECTClear flag value saved in shared preferences
INTERCEPTING_NOTIFIntercepting the incoming notifications

Table 1 Commands Identified in the Malware sample

DGA Module:

Some of the common features that are highlighted in Table 1(**), are replicated in recently discovered banking trojans.

FluBot is also well known for its Domain Generation Algorithm (DGA), a unique feature not observed in most Banking Trojan malware families.

The address of the C&C server is obtained by FluBot using a Domain Generation Algorithm (DGA).

According to the current year and month, the DGA creates over 2000 domains. With “su,” “ru,” and “cn” Top-Level Domains (TLDs), domains are 15 characters long. The below figure shows the subset of the URLs generated using the DGA.

Figure 10 DGA Domains

Through this URL generated by the DGA, the data collected by the malware is exfiltrated through the C&C server. Attackers use the DGA functionality to change the domains being used for malware attacks swiftly.

DGA is implemented here because security software and providers move swiftly to prohibit and takedown malicious domains used by malware.

The malware encrypts the part of the request it sends to the server with the public RSA key, as shown in Figure 11.

Figure 11 RSA Encryption Technique Used for C2 Communication

Conclusion:

We’ve observed numerous forms of banking malware that perform various operations on victims’ mobile bank accounts over time. This FluBot malware version exploits the user’s device and takes control of the entire device. This enables it to steal passwords, bank details, and other sensitive information from infected devices by abusing the Accessibility Service on an unsuspecting victim’s phone.

Furthermore, the distribution technique for FluBot malware via a Smishing campaign frequently changes its theme. Examples include impersonating a well-known courier firm, a voicemail lure, and, as outlined in the above analysis, impersonating a security program.

Threat Actors continually adapt their approaches to avoid detection and find new ways to target users using sophisticated methods. Malicious software is frequently disguised as legitimate software to trick users into installing it.

Users should be wary of activating the required permissions even in apps distributed through well-known app portals like Google Play Store – since we have observed banking malware increasingly exploiting the Accessibility Service on Android devices.

Our Recommendations:

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  • Download and install software only from official app portals such as Google Play Store.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Users should be careful while enabling any permissions on their devices.
  • If you find any suspicious applications on your device, uninstall, or delete them immediately. 
  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Use strong passwords and enable two-factor authentication. 

Additionally, if New Zealand users come across these fraudulent text messages that are in loops, Cert.govt.nz has offered some tips on its official website. We have also asked users to follow their suggestions and report incidents to the officials via the shared phone number listed on their blog website.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Defense EvasionT1418 Application Discovery
Defense EvasionT1406Obfuscated Files or Information
Credential Access/CollectionT1409Access Stored Application Data
DiscoveryT1421System Network Connections Discovery
DiscoveryT1422System Network Configuration Discovery
Discovery/CollectionT1430Location Tracking
DiscoveryT1426System Information Discovery
DiscoveryT1424Process Discovery
CollectionT1432Access Contact List
CollectionT1507Network Information Discovery
Network EffectsT1449Exploit SS7 to Redirect Phone Calls/SMS
ImpactT1447Delete Device Data
ImpactT1448Carrier Billing Fraud

Indicators Of Compromise (IOCs) 

IndicatorsIndicator typeDescription
6e3499a5e63209b34ccc787a7ea57953ff5436b51ca4325ea0da4a958f44ea7bSHA256Malicious APK
c8c0c074c1b5f9a1c0a383b90609cb8c0a0734a5a543af88fafd2b735d54c663SHA256Malicious APK
hxxp://yoquqwxxjttsmuh[.]ru/p.phpURLCommunicating URL
hxxp://gsvjcagswqsaosn[.]ru/p.phpURLCommunicating URL
hxxp://kkwpifwkkxilltk[.]ru/p.phpURLCommunicating URL
hxxp://revgmkegctflpes[.]ru/p.phpURLCommunicating URL
hxxp://diekqueqmlpmofa[.]cn/p.phpURLCommunicating URL
hxxp://asfnfpfibhtrafy[.]ru/p.phpURLCommunicating URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.

%d bloggers like this: