In addition, you will find them in the message confirming the subscription to the newsletter. The banking trojan keeps switching up its lies, trying to fool Android users into clicking on a fake Flubot-deleting app or supposedly uploaded photos of recipients. If you are seeing this page, it does not mean you are infected with Flubot however if you follow the false instructions from this page, it WILL infect your device. Needless to say at a time when everyone is using courier delivery services, this has the potential to cause a lot of damage.
As of Friday, the threat actors had switched it up, with scam text that pretends that photos of the recipient have been uploaded. Expect yet more creative writing exercises still to come, CERT NZ recommended , adding that New Zealanders should forward the texts to and then delete them:. Be wary of any suspicious text messages you receive, asking you to click on a link, and forward any new suspicious texts to In all cases, there will be a link asking recipients to install an app or a security update.
Flubot is only a danger to Android devices. Neither are phones infected until and unless hapless users download and install the purported anti-FluBot software.
Below are some examples of what the installation messages may look like. The first, the parcel-related message, has been used in previous Flubot campaigns:. The same goes for users who entered personal information into a form — particularly payment card details: change passwords and contact your bank to check for unusual activity. The Flubot banking trojan is after banking and credit card information as well contact lists that it updates to a server and uses to keep spreading itself.
The New Zealand Flubot campaign is a copy-paste repeat of one that hit in April At that time, the malware spread rapidly, using a similar parcel-related message. In February, attackers were harvesting personal data of users in the U.. Mobile phishing has been a booming business since the start of the COVID pandemic, experts say, and is expected to keep growing. At this moment I started thinking that this Svchost.
And what are the only two apps eating up the whole CPU? Anything from Adobe and Coin mining programs. I downloaded Malwarebytes antivirus. And guess what? I was right! What appeared to be Svchost. I used the recommended settings of Malwarebytes and deleted it.
I will attach the Malwarebytes report later. The last time I downloaded something from relatively "unreliable" sources was a half a year ago and I had Windows updated several times since then.
Oh, I had the delivery optimization turned on. My friend later helped me analyze this report. From the Malwarebytes log full report here - link to google drive folder with txt file, no need to download we learned that:. Final notes: I hope that this post will help anyone with the same problem I had, and I hope it will help secure the Windows I really don't know how the virus got on my PC, or if it came from another PC via the home network - we can only assume.
Also, note that I'm not a software engineer. This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread.
The other interesting aspect is the passing of context either as command line arguments or by modifying the body of the next stage. This is a simple, yet effective, form of anti-analysis technique, because if you have Downloader 1 without the matching Dropper, you will have neither the URL nor the custom HTTP verb needed to obtain the next stage of the malware.
This approach makes analysis harder without the knowledge of context. In this case, the chain is much shorter and less robust, as only a single JavaScript, serving as the final stage, is embedded in the MSI and executed. Compared to the PowerShell final stage from the previous chain, there are some visible similarities. The main one shown in Figure 5 is the installation routine, called after downloading and extracting the ZIP archive, that renames the contents of the extracted ZIP archive according to file size.
That is closely connected to the execution method described in the next section. Figure 5. Comparison of installation routine in JavaScript and PowerShell scripts used by Mekotio, highlighting the similarity in basing the decision on file size. Mekotio is most commonly executed by abusing the legitimate AutoIt interpreter.
In this scenario, the ZIP archive contains besides the Mekotio banking trojan a legitimate AutoIt interpreter and a small AutoIt loader or injector script. The final stage of the distribution chain executes the AutoIt interpreter and passes the loader or injector script to it to interpret. That script then executes the banking trojan. Figure 6 illustrates the whole process. Mekotio is not the only Latin American banking trojan using this method, but it favors it significantly more than its competitors.
However, many variants of Mekotio modify how the data are processed before being decrypted. The first few bytes of the hardcoded decryption key may be ignored, as may some bytes of the encrypted string. Some variants further encode encrypted strings with base The specifics of these methods vary. This technique is not unheard of in relation to Latin American banking trojans.
That way, it is not immediately clear what the underlying database looks like. However, the login string is still hardcoded in the binary. We describe them below in the chronological order that we encountered them. A random domain is chosen from both lists and resolved. The IP address is further modified. For clarity, we have implemented both algorithms in Python, as seen in Figure 7. Notice that this approach is surprisingly similar to the one used by Casbaneiro marked as method 5 in the hyperlinked analysis.
0コメント