- Joined
- May 15, 2016
- Messages
- 14,121
- Likes
- 2,643
- Points
- 1,730
Arrests were made in Barcelona in connection with the distribution of the banking Trojan FluBot, which hit at least 60,000 Android devices, mainly in Spain. According to reports, botsmen not only emptied accounts with malware, but also laundered stolen money by buying goods for resale with them.
During the police raids, four young men aged 19 to 27 were detained. Two of them, the alleged leaders of the criminal group, were detained, the rest were released, obliged to appear in court every two weeks. During the searches, documents, laptops, cash and mobile phones in unopened packaging were seized - apparently bought with the money of the victims of the infection.
One arrested person, according to investigators, wrote the FluBot code (PDF) and created fake registration pages in online banking systems. Attackers have been spreading the Trojan since the end of last year through links in SMS messages that mimic email notifications or Google Chrome.
When installed, the overlay malware FluBot, aka Fedex Banker (PDF) and Cabassous, asks for permission to access Android's Accessibility Services so that its phishing pages are displayed over the windows of banking applications. The data collected with their help is sent by the bot to its server; he also knows how to intercept one-time codes sent to bank clients to confirm the rights to conduct transactions, and steal contacts from the address book of victims to further spread the infection.
So far, Spanish cybercops have detected 71,000 malicious SMS messages sent out as part of the FluBot campaign. Researchers from the Swiss information security company PRODAFT managed to gain access to the botnet's C2 server. It found data on 60 thousand infections and the phone numbers of 11 million users - 97% of them live in Spain (this is almost a quarter of the country's population).
The analysis showed that to find the C&C server, FluBot launches a DGA generator capable of generating 5,000 domain names per month. To protect C2 communications, the malware uses encryption, with Diffie-Hellman key exchange and the creation of an RSA signature to authenticate the secret key.
As of early January, FluBot's target list consisted of a number of banks doing business in Spain, but variables in Polish and German were found in its code. Currently, the botnet is still active, and the army of sites that download malicious APKs to users' smartphones continues to grow.
__________________