A Chinese language-speaking menace actor codenamed GoldFactory has been attributed to the event of extremely subtle banking trojans, together with a beforehand undocumented iOS malware known as GoldPickaxe that is able to harvesting id paperwork, facial recognition knowledge, and intercepting SMS.
“The GoldPickaxe household is offered for each iOS and Android platforms,” Singapore-headquartered Group-IB stated in an intensive report shared with The Hacker Information. “GoldFactory is believed to be a well-organized Chinese language-speaking cybercrime group with shut connections to Gigabud.”
Energetic since at the very least mid-2023, GoldFactory can be liable for one other Android-based banking malware known as GoldDigger and its enhanced variant GoldDiggerPlus in addition to GoldKefu, an embedded trojan inside GoldDiggerPlus.
Social engineering campaigns distributing the malware have been discovered to focus on the Asia-Pacific area, particularly Thailand and Vietnam, by masquerading as native banks and authorities organizations.
In these assaults, potential victims are despatched smishing and phishing messages and guided to modify the dialog to prompt messaging apps like LINE, earlier than sending bogus URLs that result in the deployment of GoldPickaxe on the gadgets.
A few of these malicious apps focusing on Android are hosted on counterfeit web sites resembling Google Play Retailer pages or faux company web sites to finish the set up course of.
GoldPickaxe for iOS, nonetheless, employs a special distribution scheme, with successive iterations leveraging Apple’s TestFlight platform and booby-trapped URLs that immediate customers to obtain an Cell Machine Administration (MDM) profile to grant full management over the iOS gadgets and set up the rogue app.
Each these propagation mechanisms had been disclosed by the Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB), respectively, in November 2023.
The sophistication of GoldPickaxe can be evident in the truth that it is designed to get round safety measures imposed by Thailand that require customers to verify bigger transactions utilizing facial recognition to stop fraud.
“GoldPickaxe prompts the sufferer to report a video as a affirmation technique within the faux utility,” safety researchers Andrey Polovinkin and Sharmine Low stated. “The recorded video is then used as uncooked materials for the creation of deepfake movies facilitated by face-swapping synthetic intelligence companies.”
Moreover, the Android and iOS flavors of the malware are geared up to gather the sufferer’s ID paperwork and photographs, intercept incoming SMS messages, and proxy visitors by way of the compromised system. It is suspected that the GoldFactory actors use their very own gadgets to sign-in to the financial institution utility and carry out unauthorized fund transfers.
That having stated, the iOS variant displays fewer functionalities when in comparison with its Android counterpart owing to the closed nature of the iOS working system and comparatively stricter nature of iOS permissions.
The Android model – thought of an evolutionary successor of GoldDiggerPlus – additionally poses as over 20 completely different purposes from Thailand’s authorities, the monetary sector, and utility firms to steal login credentials from these companies. Nevertheless, it is presently not clear what the menace actors do with this info.
One other notable facet of the malware is its abuse of Android’s accessibility companies to log keystrokes and extract on-screen content material.
GoldDigger additionally shares code-level similarities to GoldPickaxe, though it’s mainly designed to steal banking credentials, whereas the latter is geared extra in the direction of gathering of non-public info from victims. No GoldDigger artifacts geared toward iOS gadgets have been recognized thus far.
“The first characteristic of GoldDigger is that it targets over 50 purposes from Vietnamese monetary firms, together with their packages’ names within the trojan,” the researchers stated. “Every time the focused purposes open, it can save the textual content displayed or written on the UI, together with passwords, when they’re entered.”
The bottom model of GoldDigger, which was first found in June 2023 and continues to be nonetheless in circulation, has since paved the way in which for extra upgraded variants, together with GoldDiggerPlus, which comes embedded with one other trojan APK element dubbed GoldKefu, to unleash the malicious actions.
GoldDiggerPlus is claimed to have emerged in September 2023, with GoldKefu impersonating a preferred Vietnamese messaging app to siphon banking credentials related to 10 monetary establishments.
Goldkefu additionally integrates with the Agora Software program Improvement Package (SDK) to facilitate interactive voice and video calls and trick victims into contacting a bogus financial institution customer support by sending faux alerts that induce a false sense of urgency by claiming {that a} fund switch to the tune of three million Thai Baht has taken place on their accounts.
If something, the event is an indication that the cellular malware panorama stays a profitable marketplace for cybercriminals searching for fast monetary achieve, whilst they discover methods to bypass defensive measures erected by banks to counter such threats. It additionally demonstrates the ever-shifting and dynamic nature of social engineering schemes that purpose to ship malware to victims’ gadgets.
To mitigate the dangers posed by GoldFactory and its suite of cellular banking malware, it is strongly suggested to not click on on suspicious hyperlinks, set up any app from untrusted websites, as they’re a typical vector for malware, and periodically overview the permissions given to apps, notably these requesting for Android’s accessibility companies.
“GoldFactory is a resourceful group adept at numerous ways, together with impersonation, accessibility keylogging, faux banking web sites, faux financial institution alerts, faux name screens, id, and facial recognition knowledge assortment,” the researchers stated. “The group contains separate growth and operator teams devoted to particular areas.”
“The gang has well-defined processes and operational maturity and continuously enhances its toolset to align with the focused atmosphere showcasing a excessive proficiency in malware growth.”
