The new FluBot variant is aimed at our smartphones

The new FluBot variant is aimed at our smartphones

Anyone who wants to sell malware also needs a subject line that stimulates curiosity. The cyber criminals behind FluBot take this to heart. The banking Trojan specifically lures its potential victims with various false promises of content. In December, the campaign was also very active in Germany.

Bitdefender Labs experts have been monitoring new variants of the FluBot and TeaBot banking Trojans since December 2021. Over 100,000 malicious SMS were registered in Bitdefender telemetry alone during this period. An important focus of the attacks in December 2021 was Germany with 32.23%. Only Australia was hit harder. The criminal actors have now adapted their campaigns and are now luring people with supposedly new content. At the same time, they are shifting the focus of shipping between different countries and time zones. The main focus of the recent attacks are European countries.

Proven functionalities

The banking Trojans such as FluBot, TeaBot or the fraudulent SMS with the enticing subject “Is that you in the video?” are examples of long-term phishing campaigns that the criminal operators periodically play out again and again. The goal is always the same: It is about reading information about online banking, SMS, contact or other private data from infected devices.

The malware types offer an arsenal of commands for this purpose. Thanks to them, the hackers easily arrange for a command-and-control server to send various types of content as SMS. The dropper’s host domains remain the same. This allows cyber criminals to attack customers from different banks one after the other and adapt content and functionalities.

Almost finished!

Please confirm your email address!

Click on the link in the email we just sent you. Also check your spam folder and whitelist us.

More information about the newsletter.

Various FluBot decoys

The main content of the malicious SMS, which the authors spread with the FluBot malware, are supposed messages from parcel services (51.85%), followed by a subject with the question: “Is that you on the video?” (25.03% ) (see picture 1). This well-known phishing, previously carried out via Facebook Messenger, has now become part of a FluBot phishing campaign. The victims first receive an SMS with the subject. In order to be able to see the video afterwards, they are prompted to install a supposed flash or operating system update and then receive the banking Trojan.

Fake browser updates, voice messages, and operating system updates are less common. Fake apps (even fake antivirus apps) or even adult content are less likely to be a hook for FluBot. Striking: Corona content currently plays no role with only 0.09%.

Image 1: Various supposed SMS subjects at FluBot. (Source: Bitdefender)

Changing shipping areas

The FluBot operators change their target areas in a very short time – often after just a few days. In December, in addition to Australia, the campaign was also active in Germany (second place with 32.23%), Spain, Italy and other European countries (see Figure 2).

Figure 2: Distribution of FluBot in December 2021. (Source: Bitdefender)

Since January, the focus has increasingly shifted to Poland, the Netherlands and Romania. Overall, despite the decline, Germany has remained in second place in the distribution areas over the past two months with a share of 17.91% (Fig. 3).

Figure 3: Geographical distribution of FluBot since December 2021. (Source: Bitdefender)

TeaBot continues to spread fake apps and fake QR codes, including via Google Ads

Using its telemetry data, Bitdefender Labs observed how a new malicious “QR Code Reader scanner app” was downloaded over 100,000 times in 1 month in 17 different variants via Google Play. This is most likely a highly encrypted TeaBot dropper. The TeaBot attack is characterized by offering supposedly useful apps in the Google Play Store. Alternatively, it disguises itself as a fake version of popular apps and then installs the malware as a dropper when downloaded. The QR scanner app is spreading mostly in the UK, and even via Google Ads as well.

Further information:

The entire Bitdefender report can be found here.

Businesses rely on spreadsheets to handle data volumes Previous post Businesses rely on spreadsheets to handle data volumes
Self Sovereign Identity: Why the self-governing digital identity is secure Next post Self Sovereign Identity: Why the self-governing digital identity is secure