Researchers have found a bundle of dynamic campaigns transmitting the Flubot and Teabot trojans through a variety of delivery strategies, with threat actors utilizing smishing and pernicious Google Play applications to target victims with fly-by assaults in different locations across the globe.
Specialists from Bitdefender Labs said they have caught more than 100,000 malignant SMS messages attempting to transmit Flubot malware since the start of December, as indicated by a report distributed Wednesday.
During their analysis of Flubot, the team additionally found a QR code-peruser application that has been downloaded more than 100,000 times from the Google Play store and which has disseminated 17 different Teabot variations, they said.
Flubot and Teabot surfaced on the scene last year as somewhat clear financial trojans that take banking, contact, SMS and different kinds of private information from infected gadgets. Be that as it may, the administrators behind them have interesting strategies for spreading the malware, making them especially nasty and expansive.
Flubot was first founded in April focusing on Android clients in the United Kingdom and Europe using noxious SMS messages that nudged recipients to introduce a "missed package delivery" application, exhibiting a component of the malware that allows attackers to utilize command and control (C2) to send messages to victims.
This feature permits administrators to rapidly change targets and other malware highlights on the fly, augmenting their assault surface to a worldwide scale without requiring a complex framework. For sure, campaigns later in the year targeted Android users in New Zealand and Finland.
“These threats survive because they come in waves with different messages and in different time zones,” Bitdefender researchers wrote in the report.
“While the malware itself remains pretty static, the message used to carry it, the domains that host the droppers, and everything else is constantly changing. For example, in the month between Dec. 1 of last year and Jan. 2 of this year, the malware was highly active in Australia, Germany, Spain, Italy and a few other European countries.”
Campaigns between Jan. 15 and Jan. 18 then, at that point, moved to different parts of the globe, including Romania, Poland, the Netherlands, Spain and even Thailand, they found.
Attackers likewise spread out past attempting to fool users into thinking they missed a package delivery- what Bitdefender named "fake courier messages" - to disseminate Flubot.
However this strategy was available in almost 52% of campaigns specialists noticed, they likewise utilized a trick named "is this you in this video" that is a take-off of a credential-stealing campaign that has been streaming steadily via web-based media in around 25% of noticed missions, analysts wrote.
“When the victim clicks on the link, it usually redirects them to a fake Facebook login that gives attackers direct access to credentials,” researchers explained.
Flubot administrators have gotten on this trick and are involving a variety of it in one of the smishing efforts noticed, with clients getting an SMS message that inquires, "Is this you in this video?" researchers noted. In any case, the objective of the mission is very similar: to some way or another trick users into installing the software under some cover.
“This new vector for banking trojans shows that attackers are looking to expand past the regular malicious SMS messages.”
Among different lures, Flubot administrators likewise utilized SMS messages utilizing counterfeit program updates and phoney phone message notices in around 8% of noticed campaigns, separately, analysts stated.