SYMBOLCOMMON_NAMEaka. SYNONYMS
apk.flubot (Back to overview)

FluBot

aka: Cabassous, FakeChat

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

References
2023-04-12SpamhausSpamhaus Malware Labs
@techreport{labs:20230412:spamhaus:aa309d1, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q1 2023}}, date = {2023-04-12}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2023-04-18} } Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-08-16Infinitum ITinfinitum IT
@online{it:20220816:flubot:b7f7d24, author = {infinitum IT}, title = {{FluBot Android Malware Analysis}}, date = {2022-08-16}, organization = {Infinitum IT}, url = {https://www.infinitumit.com.tr/flubot-zararlisi/}, language = {Turkish}, urldate = {2022-08-17} } FluBot Android Malware Analysis
FluBot
2022-06-29Fox-ITAlberto Segura, Rolf Govers
@online{segura:20220629:flubot:274bd51, author = {Alberto Segura and Rolf Govers}, title = {{Flubot: the evolution of a notorious Android Banking Malware}}, date = {2022-06-29}, organization = {Fox-IT}, url = {https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/}, language = {English}, urldate = {2022-07-05} } Flubot: the evolution of a notorious Android Banking Malware
FluBot
2022-06-01EuropolEuropol
@online{europol:20220601:takedown:237ca0d, author = {Europol}, title = {{Takedown of SMS-based FluBot spyware infecting Android phones}}, date = {2022-06-01}, organization = {Europol}, url = {https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones}, language = {English}, urldate = {2022-06-02} } Takedown of SMS-based FluBot spyware infecting Android phones
FluBot
2022-04-12Check PointCheck Point Research
@online{research:20220412:march:2c56dc6, author = {Check Point Research}, title = {{March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance}}, date = {2022-04-12}, organization = {Check Point}, url = {https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/}, language = {English}, urldate = {2022-04-20} } March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet
2022-03-29NCSC SwitzerlandNCSC Switzerland
@online{switzerland:20220329:woche:0ea4127, author = {NCSC Switzerland}, title = {{Woche 12: Schadsoftware «FluBot» in der Schweiz wieder aktiv und Web-Administratoren erhalten Drohmails von angeblich ukrainischen Hackern}}, date = {2022-03-29}, organization = {NCSC Switzerland}, url = {https://www.ncsc.admin.ch/22w12-de}, language = {German}, urldate = {2022-03-30} } Woche 12: Schadsoftware «FluBot» in der Schweiz wieder aktiv und Web-Administratoren erhalten Drohmails von angeblich ukrainischen Hackern
FluBot
2022-02-07ThreatFabricThreatFabric
@online{threatfabric:20220207:medusa:285634c, author = {ThreatFabric}, title = {{Medusa: a marriage partner as gunslinger}}, date = {2022-02-07}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html}, language = {English}, urldate = {2022-02-09} } Medusa: a marriage partner as gunslinger
FluBot Medusa
2022-02-04BitSightAndré Tavares
@online{tavares:20220204:flubot:532b2fc, author = {André Tavares}, title = {{FluBot Malware Persists: Most Prevalent In Germany and Spain}}, date = {2022-02-04}, organization = {BitSight}, url = {https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain}, language = {English}, urldate = {2022-02-09} } FluBot Malware Persists: Most Prevalent In Germany and Spain
FluBot
2022-01-27The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220127:widespread:9d2fe29, author = {Ravie Lakshmanan}, title = {{Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices}}, date = {2022-01-27}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html}, language = {English}, urldate = {2022-01-31} } Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices
Anatsa FluBot
2022-01-26BitdefenderBitdefender
@online{bitdefender:20220126:new:587f615, author = {Bitdefender}, title = {{New FluBot and TeaBot Global Malware Campaigns Discovered}}, date = {2022-01-26}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered}, language = {English}, urldate = {2022-02-01} } New FluBot and TeaBot Global Malware Campaigns Discovered
Anatsa FluBot
2022-01-13F5Dor Nizar, Roy Moshailov
@online{nizar:20220113:flubots:3141376, author = {Dor Nizar and Roy Moshailov}, title = {{FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond}}, date = {2022-01-13}, organization = {F5}, url = {https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond}, language = {English}, urldate = {2022-01-25} } FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond
FluBot
2021-10-01CERT NZCERT NZ
@online{nz:20211001:text:7c16350, author = {CERT NZ}, title = {{Text message scam infecting Android phones with FluBot}}, date = {2021-10-01}, organization = {CERT NZ}, url = {https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/}, language = {English}, urldate = {2021-10-20} } Text message scam infecting Android phones with FluBot
FluBot
2021-09-14TelekomThomas Barabosch
@online{barabosch:20210914:flubots:a0b25c3, author = {Thomas Barabosch}, title = {{Flubot’s Smishing Campaigns under the Microscope}}, date = {2021-09-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368}, language = {English}, urldate = {2021-09-22} } Flubot’s Smishing Campaigns under the Microscope
Anatsa FluBot
2021-09-09cybleCyble
@online{cyble:20210909:flubot:02a6d7c, author = {Cyble}, title = {{FluBot Variant Masquerading As The Default Android Voicemail App}}, date = {2021-09-09}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/}, language = {English}, urldate = {2021-09-19} } FluBot Variant Masquerading As The Default Android Voicemail App
FluBot
2021-08-17NetcraftSean Gebbett
@online{gebbett:20210817:resurgent:177637f, author = {Sean Gebbett}, title = {{Resurgent FluBot malware targets German and Polish banks}}, date = {2021-08-17}, organization = {Netcraft}, url = {https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html}, language = {English}, urldate = {2021-08-20} } Resurgent FluBot malware targets German and Polish banks
FluBot
2021-08-04NetcraftGraham Edgecombe
@online{edgecombe:20210804:flubot:fdd81a2, author = {Graham Edgecombe}, title = {{FluBot malware spreads to Australia}}, date = {2021-08-04}, organization = {Netcraft}, url = {https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html}, language = {English}, urldate = {2021-08-20} } FluBot malware spreads to Australia
FluBot
2021-06-19SWITCH Security BlogDaniel Stirnimann
@online{stirnimann:20210619:android:ecea911, author = {Daniel Stirnimann}, title = {{Android FluBot enters Switzerland}}, date = {2021-06-19}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/}, language = {English}, urldate = {2021-06-22} } Android FluBot enters Switzerland
FluBot
2021-06-13Twitter (@alberto__segura)Alberto Segura
@online{segura:20210613:flubot:f2d4a14, author = {Alberto Segura}, title = {{Tweet on Flubot version 4.6}}, date = {2021-06-13}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1404098461440659459}, language = {English}, urldate = {2021-06-21} } Tweet on Flubot version 4.6
FluBot
2021-06-09Twitter (@alberto__segura)Alberto Segura
@online{segura:20210609:flubt:d365192, author = {Alberto Segura}, title = {{Tweet on Flubt version 4.5}}, date = {2021-06-09}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1402615237296148483}, language = {English}, urldate = {2021-06-21} } Tweet on Flubt version 4.5
FluBot
2021-06-03Twitter (@alberto__segura)Alberto Segura
@online{segura:20210603:decrypting:10a9e23, author = {Alberto Segura}, title = {{Tweet on decrypting FluBot strings}}, date = {2021-06-03}, organization = {Twitter (@alberto__segura)}, url = {https://mobile.twitter.com/alberto__segura/status/1400396365759500289}, language = {English}, urldate = {2021-06-29} } Tweet on decrypting FluBot strings
FluBot
2021-06-01BitdefenderAlin Mihai Barbatei, Oana Asoltanei, Silviu Stahie
@online{barbatei:20210601:threat:83b0dfc, author = {Alin Mihai Barbatei and Oana Asoltanei and Silviu Stahie}, title = {{Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android}}, date = {2021-06-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/}, language = {English}, urldate = {2021-06-09} } Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android
Anatsa FluBot
2021-05-31Twitter (@alberto__segura)Alberto Segura
@online{segura:20210531:flubot:8657f6d, author = {Alberto Segura}, title = {{Tweet on Flubot version 4.4}}, date = {2021-05-31}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1399249798063087621?s=20}, language = {English}, urldate = {2021-06-09} } Tweet on Flubot version 4.4
FluBot
2021-05-21Twitter (@alberto__segura)Alberto Segura
@online{segura:20210521:flubt:4fd3961, author = {Alberto Segura}, title = {{Tweet on Flubt version 4.2 (p.php variant) with new AES strings encryption}}, date = {2021-05-21}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1395675479194095618}, language = {English}, urldate = {2021-06-21} } Tweet on Flubt version 4.2 (p.php variant) with new AES strings encryption
FluBot
2021-05-14NortonLifeLockArmin Buescher, Gokulakrishnan S
@online{buescher:20210514:how:23df023, author = {Armin Buescher and Gokulakrishnan S}, title = {{How Flubot targets Android phone users and their money}}, date = {2021-05-14}, organization = {NortonLifeLock}, url = {https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users}, language = {English}, urldate = {2021-05-19} } How Flubot targets Android phone users and their money
FluBot
2021-05-05zimperiumJon Paterson
@online{paterson:20210505:flubot:c917ba6, author = {Jon Paterson}, title = {{Flubot vs. Zimperium}}, date = {2021-05-05}, organization = {zimperium}, url = {https://blog.zimperium.com/flubot-vs-zimperium/}, language = {English}, urldate = {2021-05-08} } Flubot vs. Zimperium
FluBot
2021-04-29IBMBen Wagner
@online{wagner:20210429:story:79bd16a, author = {Ben Wagner}, title = {{The Story of FakeChat}}, date = {2021-04-29}, organization = {IBM}, url = {https://securityintelligence.com/posts/story-of-fakechat-malware/}, language = {English}, urldate = {2021-05-03} } The Story of FakeChat
FluBot
2021-04-27ProofpointCrista Giering, fnaves, Andrew Conway, Adam McNeil
@online{giering:20210427:flubot:3b61899, author = {Crista Giering and fnaves and Andrew Conway and Adam McNeil}, title = {{FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon}}, date = {2021-04-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon}, language = {English}, urldate = {2021-05-04} } FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon
FluBot
2021-04-26The RecordCatalin Cimpanu
@online{cimpanu:20210426:despite:4069a05, author = {Catalin Cimpanu}, title = {{Despite arrests in Spain, FluBot operations explode across Europe and Japan}}, date = {2021-04-26}, organization = {The Record}, url = {https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/}, language = {English}, urldate = {2021-06-29} } Despite arrests in Spain, FluBot operations explode across Europe and Japan
FluBot
2021-04-21Twitter (@alberto__segura)Alberto Segura
@online{segura:20210421:flubot:2b590e4, author = {Alberto Segura}, title = {{Tweet on FluBot Version 4.0}}, date = {2021-04-21}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1384840011892285440}, language = {English}, urldate = {2021-04-28} } Tweet on FluBot Version 4.0
FluBot
2021-04-19nvisoJeroen Beckers
@online{beckers:20210419:how:60ec572, author = {Jeroen Beckers}, title = {{How to analyze mobile malware: a Cabassous/FluBot Case study}}, date = {2021-04-19}, organization = {nviso}, url = {https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/}, language = {English}, urldate = {2021-04-28} } How to analyze mobile malware: a Cabassous/FluBot Case study
FluBot
2021-03-29Medium (Cryptax)Axelle Apvrille
@online{apvrille:20210329:androidflubot:01484cd, author = {Axelle Apvrille}, title = {{Android/Flubot: preparing for a new campaign?}}, date = {2021-03-29}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06}, language = {English}, urldate = {2021-03-31} } Android/Flubot: preparing for a new campaign?
FluBot
2021-03-16Medium CSIS TechblogAleksejs Kuprins
@online{kuprins:20210316:brief:895027b, author = {Aleksejs Kuprins}, title = {{The Brief Glory of Cabassous/FluBot — a private Android banking botnet}}, date = {2021-03-16}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027}, language = {English}, urldate = {2021-03-24} } The Brief Glory of Cabassous/FluBot — a private Android banking botnet
FluBot
2021-03-08The RecordCatalin Cimpanu
@online{cimpanu:20210308:flubot:306fd8b, author = {Catalin Cimpanu}, title = {{FluBot Malware Gang Arrested in Barcelona}}, date = {2021-03-08}, organization = {The Record}, url = {https://therecord.media/flubot-malware-gang-arrested-in-barcelona/}, language = {English}, urldate = {2021-06-29} } FluBot Malware Gang Arrested in Barcelona
FluBot
2021-03-08PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210308:flubot:c691c53, author = {PRODAFT}, title = {{FluBot - Malware Analysis Report}}, date = {2021-03-08}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/FluBot_4.pdf}, language = {English}, urldate = {2022-03-23} } FluBot - Malware Analysis Report
FluBot
2021-03-05Medium walmartglobaltechJason Reaves
@online{reaves:20210305:look:71fca27, author = {Jason Reaves}, title = {{A look at an Android bot from unpacking to DGA}}, date = {2021-03-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9}, language = {English}, urldate = {2021-03-11} } A look at an Android bot from unpacking to DGA
FluBot
2021-03-02HispasecHispasec Sistemas
@techreport{sistemas:20210302:campaa:7faa602, author = {Hispasec Sistemas}, title = {{Campaña Fedex Banker}}, date = {2021-03-02}, institution = {Hispasec}, url = {https://hispasec.com/resources/FedexBanker.pdf}, language = {Spanish}, urldate = {2021-06-29} } Campaña Fedex Banker
FluBot
2021-02-11Twitter (@malwrhunterteam)MalwareHunterTeam
@online{malwarehunterteam:20210211:one:7cecd47, author = {MalwareHunterTeam}, title = {{Tweet on one of the first Fedex-themed lures for FluBot}}, date = {2021-02-11}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1359939300238983172}, language = {English}, urldate = {2021-06-29} } Tweet on one of the first Fedex-themed lures for FluBot
FluBot
Yara Rules
[TLP:WHITE] apk_flubot_w0 (20210914 | matches on dumped, decrypted V/DEX files of Flubot version > 4.2)
rule apk_flubot_w0 {
    meta:
        author = "Thomas Barabosch, Telekom Security"
        version = "20210720"
        description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2"
        sample = "37be18494cd03ea70a1fdd6270cef6e3"
        source = "https://github.com/telekom-security/malware_analysis/tree/main/flubot"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot"
        malpedia_version = "20210914"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $dex = "dex"
        $vdex = "vdex"
        $s1 = "LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE"
        $s2 = "java/net/HttpURLConnection;"
        $s3 = "java/security/spec/X509EncodedKeySpec;"
        $s4 = "MANUFACTURER"

    condition:
        ($dex at 0 or $vdex at 0)
        and 3 of ($s*)
}
Download all Yara Rules