SYMBOLCOMMON_NAMEaka. SYNONYMS
apk.flubot (Back to overview)

FluBot

aka: Cabassous, FakeChat

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

References
2021-09-14TelekomThomas Barabosch
@online{barabosch:20210914:httpswwwtelekomcomenbloggrouparticleflubotunderthemicroscope636368:a0b25c3, author = {Thomas Barabosch}, title = {{https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368}}, date = {2021-09-14}, organization = {Telekom}, url = {https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368}, language = {English}, urldate = {2021-09-14} } https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368
Anatsa FluBot
2021-09-09cybleCyble
@online{cyble:20210909:flubot:02a6d7c, author = {Cyble}, title = {{FluBot Variant Masquerading As The Default Android Voicemail App}}, date = {2021-09-09}, organization = {cyble}, url = {https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/}, language = {English}, urldate = {2021-09-19} } FluBot Variant Masquerading As The Default Android Voicemail App
FluBot
2021-08-17NetcraftSean Gebbett
@online{gebbett:20210817:resurgent:177637f, author = {Sean Gebbett}, title = {{Resurgent FluBot malware targets German and Polish banks}}, date = {2021-08-17}, organization = {Netcraft}, url = {https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html}, language = {English}, urldate = {2021-08-20} } Resurgent FluBot malware targets German and Polish banks
FluBot
2021-08-04NetcraftGraham Edgecombe
@online{edgecombe:20210804:flubot:fdd81a2, author = {Graham Edgecombe}, title = {{FluBot malware spreads to Australia}}, date = {2021-08-04}, organization = {Netcraft}, url = {https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html}, language = {English}, urldate = {2021-08-20} } FluBot malware spreads to Australia
FluBot
2021-06-19SWITCH Security BlogDaniel Stirnimann
@online{stirnimann:20210619:android:ecea911, author = {Daniel Stirnimann}, title = {{Android FluBot enters Switzerland}}, date = {2021-06-19}, organization = {SWITCH Security Blog}, url = {https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/}, language = {English}, urldate = {2021-06-22} } Android FluBot enters Switzerland
FluBot
2021-06-13Twitter (@alberto__segura)Alberto Segura
@online{segura:20210613:flubot:f2d4a14, author = {Alberto Segura}, title = {{Tweet on Flubot version 4.6}}, date = {2021-06-13}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1404098461440659459}, language = {English}, urldate = {2021-06-21} } Tweet on Flubot version 4.6
FluBot
2021-06-09Twitter (@alberto__segura)Alberto Segura
@online{segura:20210609:flubt:d365192, author = {Alberto Segura}, title = {{Tweet on Flubt version 4.5}}, date = {2021-06-09}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1402615237296148483}, language = {English}, urldate = {2021-06-21} } Tweet on Flubt version 4.5
FluBot
2021-06-03Twitter (@alberto__segura)Alberto Segura
@online{segura:20210603:decrypting:10a9e23, author = {Alberto Segura}, title = {{Tweet on decrypting FluBot strings}}, date = {2021-06-03}, organization = {Twitter (@alberto__segura)}, url = {https://mobile.twitter.com/alberto__segura/status/1400396365759500289}, language = {English}, urldate = {2021-06-29} } Tweet on decrypting FluBot strings
FluBot
2021-06-01BitdefenderAlin Mihai Barbatei, Oana Asoltanei, Silviu Stahie
@online{barbatei:20210601:threat:83b0dfc, author = {Alin Mihai Barbatei and Oana Asoltanei and Silviu Stahie}, title = {{Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android}}, date = {2021-06-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/}, language = {English}, urldate = {2021-06-09} } Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android
Anatsa FluBot
2021-05-31Twitter (@alberto__segura)Alberto Segura
@online{segura:20210531:flubot:8657f6d, author = {Alberto Segura}, title = {{Tweet on Flubot version 4.4}}, date = {2021-05-31}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1399249798063087621?s=20}, language = {English}, urldate = {2021-06-09} } Tweet on Flubot version 4.4
FluBot
2021-05-21Twitter (@alberto__segura)Alberto Segura
@online{segura:20210521:flubt:4fd3961, author = {Alberto Segura}, title = {{Tweet on Flubt version 4.2 (p.php variant) with new AES strings encryption}}, date = {2021-05-21}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1395675479194095618}, language = {English}, urldate = {2021-06-21} } Tweet on Flubt version 4.2 (p.php variant) with new AES strings encryption
FluBot
2021-05-14NortonLifeLockArmin Buescher, Gokulakrishnan S
@online{buescher:20210514:how:23df023, author = {Armin Buescher and Gokulakrishnan S}, title = {{How Flubot targets Android phone users and their money}}, date = {2021-05-14}, organization = {NortonLifeLock}, url = {https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users}, language = {English}, urldate = {2021-05-19} } How Flubot targets Android phone users and their money
FluBot
2021-05-05zimperiumJon Paterson
@online{paterson:20210505:flubot:c917ba6, author = {Jon Paterson}, title = {{Flubot vs. Zimperium}}, date = {2021-05-05}, organization = {zimperium}, url = {https://blog.zimperium.com/flubot-vs-zimperium/}, language = {English}, urldate = {2021-05-08} } Flubot vs. Zimperium
FluBot
2021-04-29IBMBen Wagner
@online{wagner:20210429:story:79bd16a, author = {Ben Wagner}, title = {{The Story of FakeChat}}, date = {2021-04-29}, organization = {IBM}, url = {https://securityintelligence.com/posts/story-of-fakechat-malware/}, language = {English}, urldate = {2021-05-03} } The Story of FakeChat
FluBot
2021-04-27ProofpointCrista Giering, fnaves, Andrew Conway, Adam McNeil
@online{giering:20210427:flubot:3b61899, author = {Crista Giering and fnaves and Andrew Conway and Adam McNeil}, title = {{FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon}}, date = {2021-04-27}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon}, language = {English}, urldate = {2021-05-04} } FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon
FluBot
2021-04-26The RecordCatalin Cimpanu
@online{cimpanu:20210426:despite:4069a05, author = {Catalin Cimpanu}, title = {{Despite arrests in Spain, FluBot operations explode across Europe and Japan}}, date = {2021-04-26}, organization = {The Record}, url = {https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/}, language = {English}, urldate = {2021-06-29} } Despite arrests in Spain, FluBot operations explode across Europe and Japan
FluBot
2021-04-21Twitter (@alberto__segura)Alberto Segura
@online{segura:20210421:flubot:2b590e4, author = {Alberto Segura}, title = {{Tweet on FluBot Version 4.0}}, date = {2021-04-21}, organization = {Twitter (@alberto__segura)}, url = {https://twitter.com/alberto__segura/status/1384840011892285440}, language = {English}, urldate = {2021-04-28} } Tweet on FluBot Version 4.0
FluBot
2021-04-19nvisoJeroen Beckers
@online{beckers:20210419:how:60ec572, author = {Jeroen Beckers}, title = {{How to analyze mobile malware: a Cabassous/FluBot Case study}}, date = {2021-04-19}, organization = {nviso}, url = {https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/}, language = {English}, urldate = {2021-04-28} } How to analyze mobile malware: a Cabassous/FluBot Case study
FluBot
2021-03-29Medium (Cryptax)Axelle Apvrille
@online{apvrille:20210329:androidflubot:01484cd, author = {Axelle Apvrille}, title = {{Android/Flubot: preparing for a new campaign?}}, date = {2021-03-29}, organization = {Medium (Cryptax)}, url = {https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06}, language = {English}, urldate = {2021-03-31} } Android/Flubot: preparing for a new campaign?
FluBot
2021-03-16Medium CSIS TechblogAleksejs Kuprins
@online{kuprins:20210316:brief:895027b, author = {Aleksejs Kuprins}, title = {{The Brief Glory of Cabassous/FluBot — a private Android banking botnet}}, date = {2021-03-16}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027}, language = {English}, urldate = {2021-03-24} } The Brief Glory of Cabassous/FluBot — a private Android banking botnet
FluBot
2021-03-08The RecordCatalin Cimpanu
@online{cimpanu:20210308:flubot:306fd8b, author = {Catalin Cimpanu}, title = {{FluBot Malware Gang Arrested in Barcelona}}, date = {2021-03-08}, organization = {The Record}, url = {https://therecord.media/flubot-malware-gang-arrested-in-barcelona/}, language = {English}, urldate = {2021-06-29} } FluBot Malware Gang Arrested in Barcelona
FluBot
2021-03-08PRODAFT Threat IntelligenceAhmet Bilal Can
@techreport{can:20210308:flubot:c691c53, author = {Ahmet Bilal Can}, title = {{FluBot - Malware Analysis Report}}, date = {2021-03-08}, institution = {PRODAFT Threat Intelligence}, url = {https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf}, language = {English}, urldate = {2021-03-22} } FluBot - Malware Analysis Report
FluBot
2021-03-05Medium walmartglobaltechJason Reaves
@online{reaves:20210305:look:71fca27, author = {Jason Reaves}, title = {{A look at an Android bot from unpacking to DGA}}, date = {2021-03-05}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9}, language = {English}, urldate = {2021-03-11} } A look at an Android bot from unpacking to DGA
FluBot
2021-03-02HispasecHispasec Sistemas
@techreport{sistemas:20210302:campaa:7faa602, author = {Hispasec Sistemas}, title = {{Campaña Fedex Banker}}, date = {2021-03-02}, institution = {Hispasec}, url = {https://hispasec.com/resources/FedexBanker.pdf}, language = {Spanish}, urldate = {2021-06-29} } Campaña Fedex Banker
FluBot
2021-02-11Twitter (@malwrhunterteam)MalwareHunterTeam
@online{malwarehunterteam:20210211:one:7cecd47, author = {MalwareHunterTeam}, title = {{Tweet on one of the first Fedex-themed lures for FluBot}}, date = {2021-02-11}, organization = {Twitter (@malwrhunterteam)}, url = {https://twitter.com/malwrhunterteam/status/1359939300238983172}, language = {English}, urldate = {2021-06-29} } Tweet on one of the first Fedex-themed lures for FluBot
FluBot
Yara Rules
[TLP:WHITE] apk_flubot_w0 (20210914 | matches on dumped, decrypted V/DEX files of Flubot version > 4.2)
rule apk_flubot_w0 {
    meta:
        author = "Thomas Barabosch, Telekom Security"
        version = "20210720"
        description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2"
        sample = "37be18494cd03ea70a1fdd6270cef6e3"
        source = "https://github.com/telekom-security/malware_analysis/tree/main/flubot"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot"
        malpedia_version = "20210914"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $dex = "dex"
        $vdex = "vdex"
        $s1 = "LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE"
        $s2 = "java/net/HttpURLConnection;"
        $s3 = "java/security/spec/X509EncodedKeySpec;"
        $s4 = "MANUFACTURER"

    condition:
        ($dex at 0 or $vdex at 0)
        and 3 of ($s*)
}
Download all Yara Rules