Flubot (Android Malware)

[scafroglia93]

VT -> https://www.virustotal.com/gui/file/88527fb710478e1c54c6540fd15c0734bee1c4d1724abefcb84d7fa4102b8411/detection

qoisocrldvnesni.ru xawsnngjljanxof.su bdvwidxfiextwof.ru krvpsegjeukhoqk.su auqcmkubxjmeeyf.ru vloxaloyfmdqxti.ru

[Alex-302]

@scafroglia93 please provide download link. We will block network for it.

[scafroglia93]

I struggle to give you the site as it is a DGA; changes with each download request

[Alex-302]

We can block these domains. But what makes requests to these domains? What is DGA?

[scafroglia93]

DGA Reference -> https://en.m.wikipedia.org/wiki/Domain_generation_algorithm

It's very hard to find all domain used

Il mar 13 apr 2021, 13:54 Alex @.***> ha scritto:

We can block these domains. But what makes requests to these domains? What is DGA?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardFilters/issues/80229#issuecomment-818675930, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6YSHPWC7IOQ2KJCMMGEALTIQWFRANCNFSM42YZLXJQ .

[Alex-302]

What is the source of that domains? Which app made requests?

[scafroglia93]

APK -> https://www.virustotal.com/gui/file/88527fb710478e1c54c6540fd15c0734bee1c4d1724abefcb84d7fa4102b8411/detection

[Alex-302]

I need APK download link, not virustotal.

[scafroglia93]

http://youthvision.cn/track/

This is one but there are tons of this

Il giorno mer 14 apr 2021 alle ore 13:12 Alex @.***> ha scritto:

I need APK download link, not virustotal.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardFilters/issues/80229#issuecomment-819437473, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6YSHPX3PN7T4MJIZYPTYLTIV2APANCNFSM42YZLXJQ .

[Alex-302]

[scafroglia93]

try with mobile (android)

Il giorno mer 14 apr 2021 alle ore 14:27 Alex @.***> ha scritto:

[image: image] https://user-images.githubusercontent.com/8361299/114709984-e40fcb80-9d35-11eb-8726-3e5ca954a04d.png

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/AdguardTeam/AdguardFilters/issues/80229#issuecomment-819478822, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB6YSHMP2PLNYU4YQQ2PVZDTIWC3LANCNFSM42YZLXJQ .

[scafroglia93]

That's all !

https://github.com/prodaft/malware-ioc/tree/master/FluBot

https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.7_5000_domain.txt https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.7_germany.txt https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.8_domains.txt https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/v3.9_italy.txt

[Alex-302]

~Uh, that files are made from dead domains(at the moment)~

or they are still not used

[scafroglia93]

It can happen, especially if domains generated by some algorithm are used.

This makes blocking at the dns level complicated

[scafroglia93]

this is the latest update from italian cert -> https://cert-agid.gov.it/wp-content/uploads/2021/04/flubot_ioca_cert-agid_19-04-2021.json_.txt

[Alex-302]

They create one file, which contains all domains. You can add it to AdGuard home or another blocker. https://github.com/prodaft/malware-ioc/issues/1

[GewoonJaap]

https://flubot.mrproper.dev/ Here is a list with URLs, flubot APK is not downloaded from DGA domains AFAIK, the DGA is used once the APK is installed.

[scafroglia93]

https://flubot.mrproper.dev/ Here is a list with URLs, flubot APK is not downloaded from DGA domains AFAIK, the DGA is used once the APK is installed.

The phenomenon has arrived

rather it tries to create a file containing the domains to be blocked instead of writing meaningless sentences

[GewoonJaap]

https://flubot.mrproper.dev/ Here is a list with URLs, flubot APK is not downloaded from DGA domains AFAIK, the DGA is used once the APK is installed.

The phenomenon has arrived

rather it tries to create a file containing the domains to be blocked instead of writing meaningless sentences

What do you mean? In the footer is a free API that lists the URL's. If you want, I can try and make this into a adblocker ready filter list, if that is what you mean?

[Alex-302]

@GewoonJaap Hi. I didn't understand your previous message. That domains are actual flubot's domains? DGA does not cover all cases?

[GewoonJaap]

Hey @Alex-302 , This is true. The domains used to spread flubot are mostly hacked PHP websites, once flubot is downloaded, it Will contact the command and control servers which use DGA domains.

[GewoonJaap]

So all the URL's you see on my website are domains used to host the .apk file for flubot

[GewoonJaap]

When you open inspect element/devtools, set your window to a android phone so you can visit those hacked sites

[scafroglia93]

https://flubot.mrproper.dev/item

can you create a list with only domain ?

[Alex-302]

@GewoonJaap Ok. Could you please add that domains to some file which can be downloaded by AdGuard Home or another DNS filters? Are that domains not static, changed from time to time?

[scafroglia93]

No response, closed