Check Point Research recently discovered a new Malware called ‘FluHorse’ that is targeting users in Eastern Asia with malicious apps disguised as legitimate versions.
Since May 2022, the malware has been targeting various sectors across the region, and its distribution method involves Sending Malicious Emails to unsuspecting users.
The main goal of FluHorse is to steal sensitive information, such as account credentials and credit card data, from its targets.
In some cases, the malware even attempts to steal two-factor authentication (2FA) codes, making it particularly dangerous. Once the malware has infected a system, it can execute a range of malicious activities without the user’s knowledge, including accessing sensitive data and installing additional malware.
FluHorse Targets High-Profile Individuals
The FluHorse malware campaign targets high-profile individuals in Eastern Asia by sending malicious emails that urge the victim to take immediate action to resolve a payment issue. Once the victim clicks on the link provided in the email, they are directed to a phishing site where they are encouraged to download the fake app.
The FluHorse malware uses apps that imitate legitimate apps like ‘ETC,’ a toll-collection app used in Taiwan, and ‘VPBank Neo,’ a banking app used in Vietnam, to trick users into downloading them. Additionally, the malware also poses as a transportation app, although the name of the app was not disclosed.
Once the malware obtains the account credentials and credit card details, the apps display a “system is busy” message for 10 minutes, providing cover for the operators to intercept 2FA codes and use the stolen data.
Check Point Research reports that the malicious apps were developed in Dart using the Flutter platform, which made it challenging to reverse engineer and decompile the malware.
The choice of register as a stack pointer does not affect code execution, but it can have a significant impact on the decompilation process, leading to incorrect and difficult-to-read pseudocode.
CheckPoint warns that the FluHorse campaign is still ongoing, with the threat actor introducing new infrastructure and malicious apps every month, making it an active threat to Android users.
