Flubot: Android Banking Trojan Pandemic

i'm going to tell you a little about the uh this project i have been following it's a floorbot uh android pack intro trojan and uh i will uh tell a little how the threat actor is acting and what what are they doing and what are the capabilities of the of the malware uh first of all you saw that fancy accenture slide but uh you know they paid me here so um i work for them but my opinions might not be in line with my current employer uh or any previous employer so my all my uh comments and uh thinking are my own and not impacted by the employer so uh my name is eugene i'm from finland

i work as a lead investigator at accenture doing digital forensics and incident response mainly some malware analysis as well before this i was working for finnish government and that's where the my journey with the flow but started and i have been tracking the uh the malware since last last uh summer but uh what is floorboard in generally it's uh android bank controller trojan uh it's uh distributed through sms so uh usually usually the sms tries to like lure the uh uh victim to uh go to a drop site and download the apk and install it to the uh their phones the distribution is done through the compromised wordpress sites so they have plenty of wordpress sites that

they can use for this and they have burned like thousands or ten thousands of sites uh just to deliver this uh this ap case uh to victim forms it's continuously developed so we are seeing a lot of new versions coming up uh almost uh once in a month i will talk uh later on a little bit about the versions and what what has changed and when and uh they are also reacting to the mitigation activities that for example tele operators are doing so if they are changing some ways how to block for example the sms messages they are going to implement the new feature which will uh likely bypass the medication the deliberators have done

but yeah uh here's a screenshot about the from the drop drop site and also sms we saw in finland and and as you can see they are they usually have like uh a lot of like uh typos and so on so we thought that uh no one will click this well we were wrong because uh when when the uh when the situation was uh the baddest uh there was like millions of sms messages uh going uh around finland uh per day so if you think finland has like five and a half million people living there and millions millions of sms messages were delivered uh in a day uh everyone was getting those and and those were like headlines in in news

that did you get this kind of sms don't click the uh message and download the apk but that that was uh background uh of the of the uh okay they stopped working nice so uh that that's that's the uh background of the uh of the uh uh uh flu but so as i told you it's it's uh uh endeavored through the sms spraying so uh in fact that phone sends a message to victim a victim if the victim clicks the link they will go to the drop site and the drop site actually knows from the given uri that who is clicking the message so in some cases we have seen uh seeing the drop site showing of the

phone number where the sms was actually sent so they are having like a database in their back end where they are like matching all the uh all the links with the uh target victims so a lot of lot of like features that uh that are not that common for for this kind of like bulk malware then if the victim downloads the apk and side loads it installs it to their device they get infected and the first thing the flowback is doing it will check the public ib address of the device so it uses uh these four uh services that reveal your public ib address and it stores uh the information to the uh shared preferences

so that it can use it later on and of course update it if if the uh victim victim ip gets it gets a new release and uh and so on and then it starts to communicate with the c2 and since i think since version 4.9 of the flow but it has used dns over https so all the communication goes through the uh uh this cloud dns providers like google uh cloudflare and also uh alibaba and they actually used this next dns as well but it was the only provider who started blocking a flobot c2 so so yeah so then they dropped the support for the next dns pretty fast and move to use these these three and

we have been in finland in my previous job i have been in contact with all of them and they are not interested to touch their dns over https because it's it's a whole thing you know privacy and stuff so we are not blocking even flow but requests or any other malware there as well so if any one of you are working for the companies please do something and then it starts to spread the sms messages if the campaign is active in the in the current country where the phone is so it will check the uh i will talk later about the how it uh checks uh the device info but uh if if if the campaign is not

active in the country where the infected phone is it will not start sending those messages it will just stay hidden on the phone and wait that they activate the campaign in that specific country again uh i had actually made this presentation already and uh on i think on wednesday evening i saw a tweet from this user jake j cybersec that he was able to dump the uh the source code of the of the uh drop site so i had to take a look at it actually i flew here yesterday morning so i i analyzed the php in the uh in the airplane and saw that it reveals uh one address from the back end and uh i will get later back to

this this uh uh this uh domain shown there this murfetta dot russia and uh yeah uh and i i will i will discuss a little about the in front where is where it's hosted but uh if you are interested about the uh index.php which which was uh dumped by this uh twitter user uh it's it's pretty good uh twitter uh thread about about what what what is concluded in the code and what it does so uh go and take a look as well it's uh you can find the sample from aristotle but yeah a little bit about the uh time frame so as i told uh last summer i got involved with this case uh in finland um

it was the version 4.5 which which uh started spreading in finland and uh that version was actually still using the uh like legacy uh connection so it directly connected to the c2 instead of using the dns over hc dps uh so it was kind of easy to block we just generated lists of these domains it's using dta so domain generation algorithm so we generated the list and blocked all the teleoperators blocked these actresses in finland so so they couldn't do anything and we were like yes we won and uh then few months went by and uh we saw new samples using uh dns over https and we didn't do anything so yeah and uh since then they have released a

lot of new versions so they are uh like going from static uh static structure uh to more like uh things that that they can update on the fly for example the dga seats so they can like generate different kind of uh different kind of list of uh those c2 domains and also it makes uh us researchers life a little bit harder because dc's are not hardcoded to the malware and they need to be downloaded from the c2 so so a little bit more work for for people who are analyzing the malware and yeah uh last month actually uh i think it was uh end of february the newest version 5.5 was released well i found it uh using some retro hands on on

the wires turtle and checked that that's the newest newest version uh analyzing ap cases is kind of easy because you can just decompile the package and read the java but of course mobile malware are using packing as well as the uh as the like regular windows and linux malware are doing so uh and uh flubat used it to use apk protector which is like known tool for apk packing but they changed this kind of custom customized encryption uh in i think it was version 4.9 where they introduced it and yeah and uh it's it's first they have like multiple layers of obfuscation and encryption so first layer is like a simple string obfuscation and then then

there's an archive hidden into the sources resources and then that that is actually when you uh uh when you decompress it it's an encrypted payload and if you uh uh decrypt the payload it will become an archive and the archive will have the real classist.dxdx inside of it and uh if if you uh uh decompress that one uh it's an and see the source code it's it's still obfuscated so there is like a lot of places where they are trying to hide the uh real real true truth of the source code and uh and uh but i i think uh this kind of this kind of uh stuff is fun and uh hope that they are implementing new features

so so it will get a little bit harder to decrypt but yeah so as i told uh they changed the way of packing between the june and november last year and uh i think they will this year bring more features to that as well so we will see and wait so if we take a closer look uh how how the packing is done so first of all android manifest is good place to start and see what the application is doing so it's basically a list uh what services and listeners and so on are started when the application is installed and started so uh the first uh thing we can see that that there is this uh main function

inside of the mobile qq named package but you cannot find the source code there so it's it's packing and if you go one line above you can see that there is this crazy games package uh which which uh includes probably the code for the packing uh next slide is a little bit busy but it's it's it's the uh function where uh where the uh the file i mentioned the uh archive uh where it's stored and and how how it uh like loads it from from uh from there and uh then then com decompresses it so the path for this specific sample is shown there so there is assets and then so so uh and that that is the actual

actual file containing the source code for the for the malware and then then we can see that there is actually a decryption function which uh uses a static password uh from from the sample of course it's a little bit obfuscated as well it's uh these chinese letters and uh with with uh and uh if if you uh de-obfuscate that one it will become a clear text string and uh that actually means something i i think they are funny as well because they're using like uh something something that means something in in chinese and uh also there was i think it was the first sample i saw it was like evil evil evil evil evil evil the in english the

chinese text so yeah i i think it's this is like uh like easter eggs they're hiding hiding there and i i kind of like it uh then uh if you look at the uh the actual uh decryption function you can see that most of it is is like rubbish and there is only like few parts which are used for for the actual decryption of the of the classes.the dex and uh yeah if when i put it to this slide it looks easy but it actually took some time time to figure out how to how to unpack them on how to unpack the package and uh when i had done it i wrote a little python uh spaghetti code and then run it

and i got the uh the actual dax file so now we can actually start analyzing them all over and um this this look like uh well in this uh in the uh last year it took like uh one one week of uh work days uh to figure out how how it how it's done so uh when when the user installs the malware uh it it actually requires a lot of like uh permissions from the user so it prompts the user uh if it can use the uh layouts in in uh in in android which means that basically the malware can show anything can intercept anything can do anything with the phone so it's it's like super

dangerous thing to give give any app this kind of access and uh and uh of course it's telling that that the instructions how the user can actually disable limitations which which android nowadays builds with ships with so you can they are helping the victims to make their phone more unsecure and during the installation it it actually checks the uh check after after the after the user gives the rights it will check the public ip address and a lot of other stuff which is uh going to be uh stored into the third preferences of of the of the application and uh this is because it wants to store uh this kind of configurations like for longer times and it

all of many of the flow but functions are using the same values so so it it uses shared shared preferences for that and one of the one of the things is a spot id so this is the way the attacker actually can can specify which device is calling back to the c2 and this is unique for for phones so so a lot of interesting information and uh for example uh as i said they have been implementing these new features uh so uh so that they can update like dynamic dynamically those uh the uh doh servers and uh c2 servers and so on so uh there is uh one shared preference for for new uh dns over https

servers so as i told they are using the google alibaba and cloudflare so they can basically update their uh whatever they like and also if someone for example starts to blocking them they can implement new new new uh server there and uh ensure that they they can continue operating and also the custom seed which is used for the dta so when they created a list of c2 domains they are using a hard coded seed which is uh which has been 1945 uh in many of the samples but but of course they have this uh this feature so that they can update it dynamically floorbot has a lot of like hard-coded commands it's it's which which are used for c2 traffic so

before starting the c2 communication it uses this preping command where it basically where it basically connects well tries to connect uh uh over two thousand uh uh c2s and checks which one of them is alive and because there is a lot of like uh the dji uh generates two over 2000 domains and because of this they are like uh really agile uh moving from uh one location to another so this is why uh tracking flow but for example the uh c2 infra might change every day i i will have few photos about the about the current infra from yesterday and probably it's different already today so old info and uh it also has the ping comment

which is actually the like a keep alive uh so that's the basic home calling uh comment and uh the bing government also has the version number uh so it it will tell the attackers which uh c2 version which flow but version is in use so that that is the place where uh you can actually track which version of the flow but this is the current one and uh they are updating uh the miner versions uh kind of often it also has a possible uh possibility to send sms content so it's intercepting sms messages and delivering the all of the contents to the attacker so basically bypassing sms based mfa is really easy if your phone is infected

with flu but also it will not show uh the contents to uh to the victim so if someone is trying to for example send them message uh to them that your phone is infected it will not reach the victim but it will go to the uh to the actual uh attacker and uh one of the finnish tele operators used sms to send like uh messages to their customers if if they were infected with flu but and they were wondering why why nothing happens and and this was the reason and uh and uh they were surprised that they they need actually to send letters because they couldn't call them the calls were blocked as well so

you know and uh yeah and then there's this gta so there is hardcoded list of tlds which which the fluvat is using uh i think this is just a lure because uh previously they were using 3d tlds in the list was only uh had only three three of them the russian soviet union and china and now they are using yes soviet union has their own tld i'm not sure why but you know and uh but now they're using like a big list of uh different uh tlds but the c2s are the active c2s are usually in in uh dot ru so in russia russia uh country domain and uh yeah it will generate uh uh

uh 3500 domains and try to contact them afterwards so it creates uh 25 threads that test those generated domains so the amount of traffic going out of the phone when the floorboard is installed is is enormous so basically uh if i have my home setup i have work so it connect uh proxying the uh all of the all of the uh requests coming out from the test phone and uh when i do that it's like 10 000 requests uh like pop up to the work so it's it's very lousy uh yeah and uh for the uh actual like seed which is used for the random in in in java it uses the hard coded seed it's the

1945 and also it uses the current month and current year in the generation algorithm so basically every month you have to regenerate the list of the dji of the flowbot c2s if you are willing uh willing to track those and as you can get guess i am actually tracking those so this is uh example of list list which which kind of domains the algorithm generates so here is the list of uh february domains and also march domains and uh and in few weeks i have to generate the april domains as well and uh if we look at the current c2 infra and where it's hosted so basically as it's using the dns over https the requests are not

going to that actual domain but the to the name server of that domain so in this slide you can see the c2 domain uh the name server it's using and then the ib address of that name server and then also uh the as number of the of the hosting company and this is this is actually from a few days ago so we can see like that there was not that many active domains at the moment and uh most of them were like sinkholes but you know if you are uh using dta i'm not sure if sinkholing is is like does anything of course uh you can track uh the amount of infected devices using that but

but uh sinkholding is is not a solution to tackle the flow but problem this one is actually the real deal this is the active active uh c2 or was the active a c2 few days ago and if we look at the as number uh it's uh this um recall which which countries was but some african country uh which which gives like uh root routing services for everyone and it's it's called elite uh like lead team elite and uh they have this uh funny funny thing in their uh who is information that for example okay seems good but they have this nice information about the netcraft which is like a service provider that takes they offer services where they take down

uh what's going on all right how it works yep but they offer services where they take down for example c2s or fishing sites and so on so they are they send a lot of like uh takedown requests so they are claiming that these netcraft uh guys are spammers so they are not answering uh their requests and uh this already tells something about the as and what's hosted there so that's that's like red flag of cyber security you know if anything goes to that that is it's probably bad so as i said they're updating it constantly so this is from yesterday and as you can see there is not that much domains anymore but we can see two

active domains so uh they are here uh these two and they are hosted in in uh different areas and this is russian as and it's called horizon so it's it's uh it's we have seen that in many many different malwares using the same same uh as so probably that that that's like the real as they are using for the c2 infra and if if if you go uh by to these uh c2 domains by by a browser it's it's nothing but you can see that their ip addresses are as well in the same as so so uh they are they are uh i'm not going to touch the table anymore yeah but uh they are uh hosted in in

russia as well and before uh they moved to the uh dns over https they were using uh like these uh legacy connections like direct sockets to these uh addresses and then there then there their side had this this kind of propaganda there so uh i know i'm not going to try to say that but it's like it was like uh feds off and uh hope you can have like a good good and good spirit and something like that so so and and this is the uh old president of uh russia the media how do you say i'm sure but you know the yeah the guy before putin but yeah and if you remember this one

can you guess the as yes it's the same one so uh it's it's the horizon uh from russia and uh and uh i know that there has been like a lot of takedown requests uh to this these uh domains but the response haven't been that good so we are still working on it and if you are working for that as please tell your company to stop so how does this c2 tunneling work so as i said uh it's using uh all the all the c2 traffic goes to uh ds over https so i'm not going to read out those loads but uh it basically makes a blob of data and then then it's it's uh encrypted and

then encoded with base32 and the actual uh actual uh like the command and response is uh encrypted with rc4 arc four uh and the uh the key for that is actually generated when the uh when the flow but is installed on the to the no sorry it's it's uh generated for each and every comment so it changes on every comment so if you are uh figuring out one of the rc four keys you cannot you can only like uh decrypt that session and the uh in the first ping it will deliver the uh the client will deliver the uh rc4 key to the uh server the c2 server by uh and first it encrypts it with the rsa and it

has a hard hard-coded rsa public key in the in the sample and it has been the same the whole time and then the c2 will answer if it can decrypt the payload so i have for example i have been creating this kind of emulator so i do not have like always run the sample i can just use my python to interact with the c2 and uh i had a lot of problems at the first with the uh with the data formatting with the c2 so it didn't answer uh answer me anything and now now it's working partly so uh the actual request looks like this so uh there is this uh there is this uh uh uh

ds over https host and then there is this uh session id then uh which number uh the request is is so it's a sequel number and then then uh if it's sending data or receiving uh next so when the last request has one here and uh the others are sent with zero and then there is this blob and then of course the c2 host and the request type is always txt so it's it's always requesting same type of data from the c2 so what does the c2 and answer to the client so the client has like multiple different capabilities which it can do i will mention few of them few of them so i think the worst one is is the socks so

attacker can actually have like a direct connection to phone and do whatever they like there so it is it's basically a back door i haven't seen that been used and i don't know if it has been used but there's a feature for that then of course the upload function so it steals a lot of data from the phone all contacts sms messages and so on so it it's like a nightmare for the victim that that they will lose all of their information that they are storing in the phone and then of course it has these layers or they call them injects so basically layers that can be used for fishing and showing any content to the victim they

want and for example collect bank details or or or what else any credentials uh they targeted actually gmail as well so they had a layer for gmail this actually works in a way that the client sends list of all installed packages to the c2 and c2 answers which packages it wants to like monitor for credentials so to get the list what they are targeting you have to generate the list of like all applications available in google store and send it to the c2 and then the c2 will tell you what which ones they are targeting and uh yeah and then there's this interesting thing as well as i said that they are hosting the infra in russia but

they are also avoiding a russian and other country countries uh victims so they have white listed a lot of languages system languages so the installation checks uh which language the phone is using and then then uh the installation will not continue if the uh if one of the mentioned uh countries is is used for languages is used in the phone and we've if we put these countries to mop it looks like this and by the way i'm not attributing anything i'm just saying that they are not targeting these countries well these uh countries where these languages are spoken so which countries they are targeting uh well a lot of like western countries i also know that there has been campaigns

in australia and new zealand and also in ireland but i haven't seen uh i haven't seen samples by myself that use for example uh uh these uh country codes of of these these uh countries so basically uh these are the countries they are focusing right now and and probably i think this is a plant that that these countries are the uh targets and those informations are hardcoded in the code and they haven't changed that much so probably we will see new campaigns uh flew back campaigns in the future in these countries as well their goal is finance still or at least it looks like it's financial so they are creating these fishing overlays and at the moment

they are targeting uh well in finland they target uh coinbase and binance uh cryptocurrency uh wallets and also gmail and uh i i think in in uh in uh uk for example they were targeting bank applications so uh it looks like it's it's uh it's a financial uh motivated group and uh they are actually delivering those uh fishing overlays as html so uh i did uh download uh the injects they are giving and look uh by looking at the code i saw some russian comments so they were telling uh i i used google translate to check what those comments are where and there was like in the css file there was like background and then comment

that this is background like in russia so it makes me feel that uh these uh are not that good in english the uh persons were who were uh doing at least the uh the overlays so what's my conclusion threat actor this is not attribution but they are hosting their c2 in russia they inject html code which is commented with russia they'll all infrastruct russian propaganda and they do not inject systems that use acrylic alphabets and their motivation is probably financial but my question is why they are using so much rd for this they are using like a lot of resources to update the software also hosting uh the uh hosting in phrase is kind of kind of large and of course

the drop sites they are burning like super fast those those compromised wordpresses so they are finally i think they are financially motivated but but why they are spending so much resources on this because i think you could actually do this with less resources as well and what what can the defenders do the providers of the servers they should do something i think because if if uh before flow but i didn't see that much i i hadn't seen that much like malware samples that use dns over https and now now it looks like i think cobalt has cobblestrike has some kind of feature that you can actually implement the uh dot there as well so when we go

to the world where all the malwares are using google or other services for their c2 channel it will get hard as a defender to defend your company or organization network because you have no visibility and you cannot actually block those as well so it's getting hard so i hope that this ideas over https providers are should pay more attention what they are delivering to their network and the not the best way but you know the best available method is to use sms or and mms firewalls the teleporters should use them so they should filter filter the traffic so that these these spreading messages won't go through of course it's it's hard because they're changing the layout in the messages a lot and a

lot of like legit services use also sms so it's hard to like filter the right traffic traffic away but yeah that's that's the best way how how how to block this this if this uh comes to your country and or if you are working as in a teleporter all right but uh here are some resources so if someone wants to take a look those samples i mentioned and so on so here's uh hashes and you can actually download them from from wireless turtle and also there are few good reads about the flow but as well available online so if you're interested take a look at those thank you very much [Applause] do we have time for questions two

minutes all right two minutes two minutes for questions guys [Music] hey great presentation by the way um would you know any uh what kind of mitigation though for an end user to defend against flu bot is there any current mitigation out do not use android that's like yeah okay but you know uh this i do not understand that why android side loading is so easy because these are not hosted in the play store these applications they are side loaded so i'm not sure why for example my mother should ever have a possibility to site load software so i don't understand that but that's like the best way to like mitigate it do not click links

and download stuff okay thank you [Music] hey yeah great presentation um i'm curious you mentioned your emulator um and you also mentioned target countries but i might have missed it but is your is the check for like geolocation early on and this is influencer emulator in terms of like i know you said it was partially working kind of having issues but yeah yeah yeah well uh they are checking the system language and they are getting the public id and uh it's based on the public ip if they are activating the sms campaign on the phone or not so for example if if i run the sample now from finnish ip i i the connection is made but i i will

not get any comments from the c2 just okay like it's it's working but it's not giving any comments and if i change it for example to uk and if the campaign is there active i will like instantly start getting a comment from the c2 and the second is you you didn't really touch on it but you mentioned like um hulk's country obviously probably the end goal is to hook a web browser to grab bank information have you looked into like the web books or is it web books that they're using for your browser you mentioned gmail as well but yeah so uh i haven't like done any any anything like uh like doing fake credentials

delivered there and looking what they're doing but they they are they are doing like uh the uh layer i mentioned the gmail so basically if you're using gmail application you will open it and the layer will just pop up and the user won't see it it's just like normal gmail locking page and then they will fill the corrects and then they will leave to the c2 yeah from my experience and i see like it would be the gmail will pop up but it would be a an api being called with gmail being put in as a yeah parameter and that that would be the hopkins yeah but they they will deliver the yeah yeah their own

version of gmail yeah that would pop up yeah yeah yeah interesting yeah yep [Music] uh you listed the commands were they actually in english or did you give english names for they are in english so yeah they are they list list this uh in english it's a case table and it's there yeah you mentioned cobalt striker a few a few slides back uh every five have you seen much cardboard strike pop up for this uh kind of attack or no i don't know i do not think that cabal strike supports arm well the armed devices so i'm sure i will probably arm yes but android devices yeah all right thanks thanks very much guys [Applause]