"this function which is responsible for domain generation : in the new version, flubot uses 30 tlds compared to only 3 tlds in earlier versions. dga : prior to version 5. 2 flubot uses domain generation algorithm to find and communicate with the c2 server. the dga seed is based on…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
95%
"represented as a string. an encrypted dex file is stored in the apk ’ s assets, decrypted, stored as a classes. dex file, archived in a zip file, and loaded in runtime. after loading the dex file, the malware deletes it from the file system to avoid leaving artifacts. ( on some v…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1568.002Domain Generation Algorithms
91%
"##flaterinputstream to get the zlib - decompressed data as first stage. 3. a custom decryption is used on the first stage data using bitwise - operations. 4. after decryption, the data is a zlib - compressed data again. the malware uses inflaterouputstream to decompress ( for a s…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
87%
"click an embedded link that goes to a malicious page found on vulnerable wordpress websites. in other cases, the link goes to a lure page hosted on a compromised web server where the victim is prompted to install a malicious application on their mobile device. flubot ’ s abuse of…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1110.004Credential Stuffing
75%
"it ’ s therefore critical to be able to identify when stolen credentials are being used by fraudsters and, additionally, detect when automated bots are launching attacks. modern application security solutions offer the ability to detect authentication abuse, including credential …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1573.001Symmetric Cryptography
75%
"s code in later versions. encrypted communication via http using rsa + rc4 encryption in versions previous to 5. 0, communication with the c2 is encrypted with rsa + rc4. each sent and received message starts with a header that contains bot id + rc4 key, which is then rsa - encry…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1573.001Symmetric Cryptography
31%
"response. 4. every message is base32 - encoded and consists of : - bot - id ( random uuid ) - external device ip - encrypted payload ( see next bullet ) 5. the encrypted payload consists of : - 2 bytes – size of header - header - base64 - encoded rsa - encrypted string contains :…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.004DNS
30%
"dns _ servers : new in version 5. 0 a new command featured in version 5. 0 allows flubot to update dns resolvers in the malware ’ s configuration. the c2 communication in version 5. 0 is done through a dns - tunneling - over - https technique. this feature enables the attacker to…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
A deconstruction of FluBot 5.0’s new communication protocol and other capabilities FluBot uses to hide, making it difficult for researchers and security solutions to detect.