FluBot (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

apk.flubot (Back to overview)

FluBot

aka: Cabassous, FakeChat

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

References

2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update July to December 2024
Coper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc

2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver

2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver

2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar

2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-08-16 ⋅ ⋅ Infinitum IT ⋅ infinitum IT
FluBot Android Malware Analysis
FluBot

2022-06-29 ⋅ Fox-IT ⋅ Alberto Segura, Rolf Govers
Flubot: the evolution of a notorious Android Banking Malware
FluBot

2022-06-01 ⋅ Europol ⋅ Europol
Takedown of SMS-based FluBot spyware infecting Android phones
FluBot

2022-04-12 ⋅ Check Point ⋅ Check Point Research
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet

2022-03-29 ⋅ ⋅ NCSC Switzerland ⋅ NCSC Switzerland
Woche 12: Schadsoftware «FluBot» in der Schweiz wieder aktiv und Web-Administratoren erhalten Drohmails von angeblich ukrainischen Hackern
FluBot

2022-02-07 ⋅ ThreatFabric ⋅ ThreatFabric
Medusa: a marriage partner as gunslinger
FluBot Medusa

2022-02-04 ⋅ BitSight ⋅ André Tavares
FluBot Malware Persists: Most Prevalent In Germany and Spain
FluBot

2022-01-27 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices
Anatsa FluBot

2022-01-26 ⋅ Bitdefender ⋅ Bitdefender
New FluBot and TeaBot Global Malware Campaigns Discovered
Anatsa FluBot

2022-01-13 ⋅ F5 ⋅ Dor Nizar, Roy Moshailov
FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond
FluBot

2021-10-01 ⋅ CERT NZ ⋅ CERT NZ
Text message scam infecting Android phones with FluBot
FluBot

2021-09-14 ⋅ Telekom ⋅ Thomas Barabosch
Flubot’s Smishing Campaigns under the Microscope
Anatsa FluBot

2021-09-09 ⋅ cyble ⋅ Cyble
FluBot Variant Masquerading As The Default Android Voicemail App
FluBot

2021-08-17 ⋅ Netcraft ⋅ Sean Gebbett
Resurgent FluBot malware targets German and Polish banks
FluBot

2021-08-04 ⋅ Netcraft ⋅ Graham Edgecombe
FluBot malware spreads to Australia
FluBot

2021-06-19 ⋅ SWITCH Security Blog ⋅ Daniel Stirnimann
Android FluBot enters Switzerland
FluBot

2021-06-13 ⋅ Twitter (@alberto__segura) ⋅ Alberto Segura
Tweet on Flubot version 4.6
FluBot

2021-06-09 ⋅ Twitter (@alberto__segura) ⋅ Alberto Segura
Tweet on Flubt version 4.5
FluBot

2021-06-03 ⋅ Twitter (@alberto__segura) ⋅ Alberto Segura
Tweet on decrypting FluBot strings
FluBot

2021-06-01 ⋅ Bitdefender ⋅ Alin Mihai Barbatei, Oana Asoltanei, Silviu Stahie
Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android
Anatsa FluBot

2021-05-31 ⋅ Twitter (@alberto__segura) ⋅ Alberto Segura
Tweet on Flubot version 4.4
FluBot

2021-05-21 ⋅ Twitter (@alberto__segura) ⋅ Alberto Segura
Tweet on Flubot version 4.2 (p.php variant) with new AES strings encryption
FluBot

2021-05-14 ⋅ NortonLifeLock ⋅ Armin Buescher, Gokulakrishnan S
How Flubot targets Android phone users and their money
FluBot

2021-05-05 ⋅ zimperium ⋅ Jon Paterson
Flubot vs. Zimperium
FluBot

2021-04-29 ⋅ IBM ⋅ Ben Wagner
The Story of FakeChat
FluBot

2021-04-27 ⋅ Proofpoint ⋅ Adam McNeil, Andrew Conway, Crista Giering, fnaves
FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon
FluBot

2021-04-26 ⋅ The Record ⋅ Catalin Cimpanu
Despite arrests in Spain, FluBot operations explode across Europe and Japan
FluBot

2021-04-21 ⋅ Twitter (@alberto__segura) ⋅ Alberto Segura
Tweet on FluBot Version 4.0
FluBot

2021-04-19 ⋅ nviso ⋅ Jeroen Beckers
How to analyze mobile malware: a Cabassous/FluBot Case study
FluBot

2021-03-29 ⋅ Medium (Cryptax) ⋅ Axelle Apvrille
Android/Flubot: preparing for a new campaign?
FluBot

2021-03-16 ⋅ Medium CSIS Techblog ⋅ Aleksejs Kuprins
The Brief Glory of Cabassous/FluBot — a private Android banking botnet
FluBot

2021-03-08 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
FluBot - Malware Analysis Report
FluBot

2021-03-08 ⋅ The Record ⋅ Catalin Cimpanu
FluBot Malware Gang Arrested in Barcelona
FluBot

2021-03-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves
A look at an Android bot from unpacking to DGA
FluBot

2021-03-02 ⋅ ⋅ Hispasec ⋅ Hispasec Sistemas
Campaña Fedex Banker
FluBot

2021-02-11 ⋅ Twitter (@malwrhunterteam) ⋅ MalwareHunterTeam
Tweet on one of the first Fedex-themed lures for FluBot
FluBot

Yara Rules

[TLP:WHITE] apk_flubot_w0 (20210914 | matches on dumped, decrypted V/DEX files of Flubot version > 4.2)

rule apk_flubot_w0 {
    meta:
        author = "Thomas Barabosch, Telekom Security"
        version = "20210720"
        description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2"
        sample = "37be18494cd03ea70a1fdd6270cef6e3"
        source = "https://github.com/telekom-security/malware_analysis/tree/main/flubot"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot"
        malpedia_version = "20210914"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $dex = "dex"
        $vdex = "vdex"
        $s1 = "LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE"
        $s2 = "java/net/HttpURLConnection;"
        $s3 = "java/security/spec/X509EncodedKeySpec;"
        $s4 = "MANUFACTURER"

    condition:
        ($dex at 0 or $vdex at 0)
        and 3 of ($s*)
}

Download all Yara Rules

FluBot Propose Change

References

Yara Rules

FluBot