SYMBOLCOMMON_NAMEaka. SYNONYMS
apk.flubot (Back to overview)

FluBot

aka: Cabassous, FakeChat

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it's C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

References
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-08-16Infinitum ITinfinitum IT
FluBot Android Malware Analysis
FluBot
2022-06-29Fox-ITAlberto Segura, Rolf Govers
Flubot: the evolution of a notorious Android Banking Malware
FluBot
2022-06-01EuropolEuropol
Takedown of SMS-based FluBot spyware infecting Android phones
FluBot
2022-04-12Check PointCheck Point Research
March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
Alien FluBot Agent Tesla Emotet
2022-03-29NCSC SwitzerlandNCSC Switzerland
Woche 12: Schadsoftware «FluBot» in der Schweiz wieder aktiv und Web-Administratoren erhalten Drohmails von angeblich ukrainischen Hackern
FluBot
2022-02-07ThreatFabricThreatFabric
Medusa: a marriage partner as gunslinger
FluBot Medusa
2022-02-04BitSightAndré Tavares
FluBot Malware Persists: Most Prevalent In Germany and Spain
FluBot
2022-01-27The Hacker NewsRavie Lakshmanan
Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices
Anatsa FluBot
2022-01-26BitdefenderBitdefender
New FluBot and TeaBot Global Malware Campaigns Discovered
Anatsa FluBot
2022-01-13F5Dor Nizar, Roy Moshailov
FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond
FluBot
2021-10-01CERT NZCERT NZ
Text message scam infecting Android phones with FluBot
FluBot
2021-09-14TelekomThomas Barabosch
Flubot’s Smishing Campaigns under the Microscope
Anatsa FluBot
2021-09-09cybleCyble
FluBot Variant Masquerading As The Default Android Voicemail App
FluBot
2021-08-17NetcraftSean Gebbett
Resurgent FluBot malware targets German and Polish banks
FluBot
2021-08-04NetcraftGraham Edgecombe
FluBot malware spreads to Australia
FluBot
2021-06-19SWITCH Security BlogDaniel Stirnimann
Android FluBot enters Switzerland
FluBot
2021-06-13Twitter (@alberto__segura)Alberto Segura
Tweet on Flubot version 4.6
FluBot
2021-06-09Twitter (@alberto__segura)Alberto Segura
Tweet on Flubt version 4.5
FluBot
2021-06-03Twitter (@alberto__segura)Alberto Segura
Tweet on decrypting FluBot strings
FluBot
2021-06-01BitdefenderAlin Mihai Barbatei, Oana Asoltanei, Silviu Stahie
Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android
Anatsa FluBot
2021-05-31Twitter (@alberto__segura)Alberto Segura
Tweet on Flubot version 4.4
FluBot
2021-05-21Twitter (@alberto__segura)Alberto Segura
Tweet on Flubt version 4.2 (p.php variant) with new AES strings encryption
FluBot
2021-05-14NortonLifeLockArmin Buescher, Gokulakrishnan S
How Flubot targets Android phone users and their money
FluBot
2021-05-05zimperiumJon Paterson
Flubot vs. Zimperium
FluBot
2021-04-29IBMBen Wagner
The Story of FakeChat
FluBot
2021-04-27ProofpointAdam McNeil, Andrew Conway, Crista Giering, fnaves
FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon
FluBot
2021-04-26The RecordCatalin Cimpanu
Despite arrests in Spain, FluBot operations explode across Europe and Japan
FluBot
2021-04-21Twitter (@alberto__segura)Alberto Segura
Tweet on FluBot Version 4.0
FluBot
2021-04-19nvisoJeroen Beckers
How to analyze mobile malware: a Cabassous/FluBot Case study
FluBot
2021-03-29Medium (Cryptax)Axelle Apvrille
Android/Flubot: preparing for a new campaign?
FluBot
2021-03-16Medium CSIS TechblogAleksejs Kuprins
The Brief Glory of Cabassous/FluBot — a private Android banking botnet
FluBot
2021-03-08PRODAFT Threat IntelligencePRODAFT
FluBot - Malware Analysis Report
FluBot
2021-03-08The RecordCatalin Cimpanu
FluBot Malware Gang Arrested in Barcelona
FluBot
2021-03-05Medium walmartglobaltechJason Reaves
A look at an Android bot from unpacking to DGA
FluBot
2021-03-02HispasecHispasec Sistemas
Campaña Fedex Banker
FluBot
2021-02-11Twitter (@malwrhunterteam)MalwareHunterTeam
Tweet on one of the first Fedex-themed lures for FluBot
FluBot
Yara Rules
[TLP:WHITE] apk_flubot_w0 (20210914 | matches on dumped, decrypted V/DEX files of Flubot version > 4.2)
rule apk_flubot_w0 {
    meta:
        author = "Thomas Barabosch, Telekom Security"
        version = "20210720"
        description = "matches on dumped, decrypted V/DEX files of Flubot version > 4.2"
        sample = "37be18494cd03ea70a1fdd6270cef6e3"
        source = "https://github.com/telekom-security/malware_analysis/tree/main/flubot"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot"
        malpedia_version = "20210914"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $dex = "dex"
        $vdex = "vdex"
        $s1 = "LAYOUT_MANAGER_CONSTRUCTOR_SIGNATURE"
        $s2 = "java/net/HttpURLConnection;"
        $s3 = "java/security/spec/X509EncodedKeySpec;"
        $s4 = "MANUFACTURER"

    condition:
        ($dex at 0 or $vdex at 0)
        and 3 of ($s*)
}
Download all Yara Rules