FluBot
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1517 | Access Notifications | ||
| Mobile | T1437 | .001 | Application Layer Protocol: Web Protocols |
FluBot can use HTTP POST requests on port 80 for communicating with its C2 server.[1] |
| Mobile | T1637 | .001 | Dynamic Resolution: Domain Generation Algorithms |
FluBot can use Domain Generation Algorithms to connect to the C2 server.[1] |
| Mobile | T1521 | .002 | Encrypted Channel: Asymmetric Cryptography |
FluBot has encrypted C2 message bodies with RSA and encoded them in base64.[1] |
| Mobile | T1646 | Exfiltration Over C2 Channel | ||
| Mobile | T1628 | .002 | Hide Artifacts: User Evasion |
FluBot can use |
| Mobile | T1629 | .001 | Impair Defenses: Prevent Application Removal |
FluBot can use Accessibility Services to make removal of the malicious app difficult.[2] |
| .003 | Impair Defenses: Disable or Modify Tools |
FluBot can disable Google Play Protect to prevent detection.[1] |
||
| Mobile | T1417 | .002 | Input Capture: GUI Input Capture |
FluBot can add display overlays onto banking apps to capture credit card information.[1] |
| Mobile | T1406 | Obfuscated Files or Information |
FluBot can obfuscated class, string, and method names in newer malware versions.[1] |
|
| Mobile | T1636 | .003 | Protected User Data: Contact List |
FluBot can retrieve the contacts list from an infected device.[1] |
| .004 | Protected User Data: SMS Messages |
FluBot can intercept SMS messages and USSD messages from Telcom operators.[1] |
||
| Mobile | T1604 | Proxy Through Victim | ||
| Mobile | T1582 | SMS Control |
FluBot can send SMS phishing messages to other contacts on an infected device.[1][2] |
|