FluBot 4.0 UK

This is a quick post on the recent delivery of malware strain identified targeting the UK public. I will update as and when more information becomes available here.

On the 21st of April, I was made aware of suspicious SMS being delivered to members of the public in the UK. This message was supposedly from DHL in regards to a package delivery and a tracking link. I initially suspected this was another common smishing campaign currently targeting other courier brands such as Royal Mail and Hermes and decided to investigate.

Looking into this a bit further though it was clear the URL’s being reported didn’t match up to what we commonly see. These appeared to be a mixture of compromised sites and randomly generated domain names. each with what appeared to be a random sub directory in the URL.

Message content would also appear from numbers originating from Germany’s O2 network

DHL: Your parcel is arriving, track here: (multiple domains. )

Standing up a VM I then proceeded to visit some of the links but was met with a redirect to glbtraffic[.]com advertising a VPN service, this didn’t seem right, but after a little work together with another researcher JCyberSec_ we quickly realised the intended landing page was set up to accept requests only from android user agents.

Once I made a quick change to an android UA, I was presented with the below webpage.

The download application button links us to htechcodes[.]com followed by a random substring which downloads the main payload, dhl.apk.

Before installing the app on a test device i ran the apk through virus total, full report can be found here

At this point, it was clear what was being delivered was FluBot. FluBot is a rogue application targeting Android mobiles. Criminals distribute this malware through SMS messages, namely targeting German, Polish and Hungarian speaking countries From the end of 2020 until now.

Admittedly I’m not exactly proficient in apk analysis so decided to do a bit more research. On doing so I came across a really detailed post by a twitter user s_metanka that can be found here .

From this I found that the application has a range of capabilities to takeover and interact with infected devices. Mainly that it will generate common banking overlays. This means when a victim goes to visit their bank, rather than be presented with the official site, they are shown a spoof of the banking page, at which point when the victim enters their details the credentials are sent to the attackers command and control server. The malware can also read/write SMS, so once a victim receives a One Time Password to access the banking account, this too is sent to the attackers.

Its not finished there im afraid, it then takes a copy of the victims contacts list and forwards this to the command and control servers and attaches the victims handset to the botnet to be used to further spam out more messages.

What can be Done?

Some degree of prevention can be implemented by ISP’s due to the way the creators of this malware have implemented the DGA (Domain generation algorithm). As mentioned in the blog post i referred to earlier

“Usually a malware with a DGA module will begin its domain generation from a given seed value, like a short string. This value can be frequently updated by the criminals in order to prevent the investigators from being able to predict their future domains and blocking them all before they are ever used. However, the authors of Cabassous took a different approach: the seed of their algorithm is the combined string of the digits of the current year and month. They have also not added any mechanism to update the seed, or the malware itself. Basically, this means that anyone can run their malware on an analysis device with a system date set to the next month and predict all of the future generated domains. They can then block all of these domains on the DNS level within their organization.”

As of version 4.0 UK variant now uses a seed value to for DGA capabilities.

If you find yourself unfortunately infected by this, there are posts online on how to remove the malware. Personally though I would recommend backing up your important data from the device, reset to factory settings, change all your passwords and contact the bank.

List Of Capabilities

Intercept SMS messages
Send SMS messages and automated contact list spam
Display overlays/injects for banking and cryptocurrency apps, as well as a generic credit card phishing screen
Steal contacts
Open URLs
Disable PlayProtect
Run USSD commands
Uninstall App
SOCKS proxy

Current IOC’s

File: dhl.apk
IP: 104.236.222.78 (Digital Ocean)
Domain: htechcodes[.]com
MD5 20e51a131a1813d3bad165a8ed26b0b8
SHA-1 8749b208587c65d0c8eaef32d34f1629dd303385
SHA-256 beda324f7ea10d60cf197a190cf36d30998ebe474c51370475c1e8ad2ab126d1
Vhash b0c9172825df0f630ae38eb2af9f301f
SSDEEP 98304:4Ki5SCCYvdjZRFJfAC79E7KAhsfQI7mf1pdRz:OSCTj7FJpS7lhCkzz
TLSH T148F52326979FF42ED123F337E16837B3591D009C4A14FE512A2EE59C4EEBD809A61B4C
File size 3.36 MB (3520471 bytes)

Summary

This is a sophisticated attack not seen in the UK until now. Although I imagine success rate would be low with having to first be expecting something from DHL, finding the random domain in the SMS convincing and then going as far to follow the instruction to install an unofficial application, With the number of SMS being sent out just a 0.1% success rate could be very profitable. FluBot isn’t a one time thing, now its in the UK its going to be here to stay for some time.

Tags: , ,

%d bloggers like this: