fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

FluBot Malware Now Targets Europe Posing as Flash Player App

FluBot Malware Now Targets Europe Posing as Flash Player App

The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features.

FluBot is an Android banking trojan that steals credentials by displaying overlay login forms against many banks worldwide.

The smishing (SMS phishing) lures for its distribution include fake security updatesfake Adobe Flash Playersvoicemail memos, and impersonating parcel delivery notices.

Once in the device, FluBot can steal online banking credentials, send or intercept SMS messages (and one-time passwords), and capture screenshots.

Because the malware uses the victim’s device to send new smishing messages to all their contacts, it usually spreads like wildfire.

Also Read: 8 Simple Ways To Improve Your Website Protection

FluBot spread process diagram
FluBot spread process diagram
Source: F5 Labs

Impersonating Flash Player

MalwareHunterTeam told BleepingComputer that new FluBot campaigns are distributed using SMS texts asking the recipient if they intended to upload a video from their device.

An example of this campaign’s SMS text targeting Polish recipients was shared by CSIRT KNF, as seen below.

FluBot SMS text asking if the user uploaded a video
FluBot SMS text asking if the user uploaded a video
Source: CSIRT KNF

When recipients click on the included link, they are brought to a page offering a fake Flash Player APK [VirusTotal] that installs the FluBot malware on the Android device.

Also Read: 6 Simple Guides On PDPA Clause For Agreements Of Personal Data

FluBot fake Flash Player attack chain
FluBot fake Flash Player attack chain
Source: CSIRT KNF

Android users should always avoid installing apps from APKs hosted at remote sites to protect themselves from malware. This practice is especially true for well-known brands, like Adobe, whose apps should only be installed from trusted locations.

New features in recent FluBot versions

The most recent major release is version 5.0, which came out in early December 2021, while version 5.2 saw the light only a few days ago.

With this release, the DGA (domain generation algorithm) system received much attention from the malware authors, as it’s vital in enabling the actors to operate unobstructed.

DGA generates many new C2 domains on the fly, making mitigation measures such as DNS blocklists ineffective.

In its newest version, FluBot’s DGA uses 30 top-level domains instead of just three used previously and also features a command that enables attackers to change the seed remotely.

Function responsible for domain generation
Function responsible for domain generation
Source: F5 Labs

On the communication side, the new FluBot now connects to the C2 through DNS tunneling over HTTPS, whereas previously, it used direct HTTPS port 443.

The commands added on the malware in versions 5.0, 5.1, and 5.2, are the following:

  • Update DNS resolvers
  • Update the DGA seed remotely
  • Send longer SMS messages using multi-part division functions

Along with the above, the latest version of FluBot retains the capability to:

  • Open URLs on demand
  • Get the victim’s contact list
  • Uninstall existing apps
  • Disable Android Battery Optimization
  • Abuse Android Accessibility Service for screen grabbing and keylogging
  • Perform calls on demand
  • Disable Play Protect
  • Intercept and hide new SMS messages for stealing OTPs
  • Upload SMS with victim information to C2
  • Get list of apps to load the corresponding overlay injects

In summary, FluBot hasn’t deprecated any commands used in previous versions and only enriched its capabilities with new ones.

For more technical details on how exactly the latest version of FluBot works, check out the F5 Labs report.

How to stay safe from FluBot

Note that in many cases, a link to download FluBot will arrive on your device via one of your contacts, maybe even a friend or family.

As such, if you receive an unusual SMS that contains a URL and urges you to click it, it’s likely a message generated by FluBot.

Finally, avoid installing APK files from unusual sources, regularly check that Google Play Protect is enabled on your Android device, and use a mobile security solution from a reputable vendor.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us