tubo
Aktives Mitglied
Thread Starter
- Dabei seit
- 10.11.2004
- Beiträge
- 744
- Reaktionspunkte
- 385
Group-IB:https://www.group-ib.com/media-center/press-releases/goldfactory-ios-trojan/
...
...
GoldPickaxe.iOS disguised as Thai government service apps (including the Digital Pension app as reported by the Thailand Banking Sector CERT) requests the user to create a comprehensive facial biometric profile and take a photo of their identity card. Additionally, the threat actor requests the phone number to get more details about the victims, specifically seeking information about banking accounts associated with the victim.
The distribution strategy adopted by GoldPickaxe.iOS stands out. Initially leveraging Apple’s mobile application testing platform, TestFlight, the threat actor shifted to a more advanced approach post-removal of their malicious app from the platform. Group-IB researchers note that the threat actor does not exploit any vulnerabilities. Instead, GoldFactory employs a multi-stage social engineering scheme to manipulate victims into granting all the necessary permissions, enabling the installation of malware. Through this scheme, victims were persuaded to install a Mobile Device Management (MDM) profile, granting the threat actor complete control over their devices. MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and gain the information they need.
...
GoldPickaxe doesn’t directly steal the money from the victim’s phone. Instead, it collects all the necessary information from the victim to create video deepfakes and autonomously access the victim’s banking application. Facial recognition is actively used by Thai financial organizations for transaction verification and login authentication. During the research, Group-IB established that the Trojan unequivocally possesses the capability to prompt victims to scan their faces and submit ID photos. Nevertheless, Group-IB researchers have not observed documented cases of cybercriminals utilizing this stolen data to gain unauthorized access to victims’ bank accounts in the wild. Group-IB’s hypothesis suggests that the cybercriminals are using their own, allegedly Android, devices to log into victims’ bank accounts. The Thai police confirmed Group-IB’s assumption, stating that cybercriminals are installing banking applications on their own Android devices and using captured face scans to bypass facial recognition checks and carry out unauthorized access to victim accounts.
...
Group-IB attributes the entire threat cluster to a single, highly sophisticated Chinese-speaking threat actor dubbed GoldFactory. Debugging strings in Chinese were found throughout all the malware variants and their C2 panels were also in Chinese.
...
For a detailed examination of GoldFactory’s tactics, techniques, and procedures, along with the list of indicators of compromise, visit Group-IB’s fresh blog post.
For banks and financial organizations, Group-IB experts recommend implementing a user session monitoring system such as Group-IB’s Fraud Protection to detect the presence of malware and block anomalous sessions before the user enters any personal information. Recommendations for end-users are as follows: avoid clicking on suspicious links, use official app stores to download applications, review the permissions of all apps, avoid adding unknown contacts, verify the legitimacy of bank communications, and act promptly if fraud is suspected by contacting your bank.
GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection. The team comprises separate development and operator groups dedicated to specific regions.The announcement of Thailand’s policy on facial biometric verification, released in March 2023 and enforced by July, coincided with the discovery of the earliest traces of GoldPickaxe in early October. A total of three months was enough for the group to research, develop, and test new facial recognition data collection features.
Zuletzt bearbeitet von einem Moderator: