S1067 FluBot
FluBot is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.12
| Item | Value |
|---|---|
| ID | S1067 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 28 February 2023 |
| Last Modified | 31 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1517 | Access Notifications | FluBot can access app notifications.1 |
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | FluBot can use HTTP POST requests on port 80 for communicating with its C2 server.1 |
| mobile | T1637 | Dynamic Resolution | - |
| mobile | T1637.001 | Domain Generation Algorithms | FluBot can use Domain Generation Algorithms to connect to the C2 server.1 |
| mobile | T1521 | Encrypted Channel | - |
| mobile | T1521.002 | Asymmetric Cryptography | FluBot has encrypted C2 message bodies with RSA and encoded them in base64.1 |
| mobile | T1646 | Exfiltration Over C2 Channel | FluBot can send contact lists to its C2 server.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.002 | User Evasion | FluBot can use locale.getLanguage() to choose the language for notifications and avoid user detection.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.001 | Prevent Application Removal | FluBot can use Accessibility Services to make removal of the malicious app difficult.2 |
| mobile | T1629.003 | Disable or Modify Tools | FluBot can disable Google Play Protect to prevent detection.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.002 | GUI Input Capture | FluBot can add display overlays onto banking apps to capture credit card information.1 |
| mobile | T1406 | Obfuscated Files or Information | FluBot can obfuscated class, string, and method names in newer malware versions.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | FluBot can retrieve the contacts list from an infected device.1 |
| mobile | T1636.004 | SMS Messages | FluBot can intercept SMS messages and USSD messages from Telcom operators.1 |
| mobile | T1604 | Proxy Through Victim | FluBot can use a SOCKS proxy to evade C2 IP detection.1 |
| mobile | T1582 | SMS Control | FluBot can send SMS phishing messages to other contacts on an infected device.12 |
References
-
Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023. ↩↩↩