For the first time FluBot was noticed by ThreatFabric experts at the beginning of this year, and recently analysts of the Swiss company PRODAFT prepared a detailed report on this malware. Apparently, it was the data collected by the experts that led to the arrest of the malware operators.
FluBot is a banking Trojan capable of displaying fake login screens on top of other apps. Thus, the malware collects e-banking credentials and payment card details of its victims.
The impressive number of FluBot infections is most likely due to the presence of a worm-like mechanism in its malware code, thanks to which cybercriminals can download the victim’s address book to their command and control server and send malicious SMS spam from there. PRODAFT analysts warned that more than 11,000,000 phone numbers were collected from infected devices (nearly 25% of the total Spanish population), and Catalan officials say they tracked at least 71,000 spam messages sent by the group.
Spanish law enforcement officials report that they detained four men aged 19 to 27, whose names were not disclosed. Two of them are considered the leaders of the group and were kept in custody, while two more were released, but are required to appear in court. It seems that one of the leaders of the hack group was responsible for the technical side of FluBot’s operations, wrote malware and created fake login pages to simulate various banking transactions.
Investigators also raided the suspects’ apartments, where they seized cash, laptops, documents and mobile devices. Some of these mobile devices were allegedly bought with the money of the victims.
“In addition to making money transfers [со счетов жертв], criminals paid with victims’ cards and bought luxury mobile phones, which they sent to people living in the province of Madrid and receiving money for receiving parcels, ”the authorities say.
We dismantle a criminal group specialized in#Smishing or the scam with SMS messages, with which they obtained bank and mobile phone data from the victims. Two of the members, who formed the dome, are already in prison pic.twitter.com/d2XiWa0rCP
– Mossos (@mossos) March 5, 2021
Despite these arrests, FluBot is still active and continues to spread. It is not yet clear whether the other members of the hacker group, who manage the botnet, are still at large, or whether the malware’s control servers are working automatically, and now the botnet is functioning “by inertia.”