iOS Goldrausch ist zurück in APAC: Group-IB enthüllt den ersten iOS-Trojaner, der Ihr Gesicht stiehlt | group-ib.com

tubo

tubo

Aktives Mitglied
Thread Starter
Dabei seit
10.11.2004
Beiträge
744
Reaktionspunkte
385
Group-IB:https://www.group-ib.com/media-center/press-releases/goldfactory-ios-trojan/
...
GoldPickaxe.iOS disguised as Thai government service apps (including the Digital Pension app as reported by the Thailand Banking Sector CERT) requests the user to create a comprehensive facial biometric profile and take a photo of their identity card. Additionally, the threat actor requests the phone number to get more details about the victims, specifically seeking information about banking accounts associated with the victim.
The distribution strategy adopted by GoldPickaxe.iOS stands out. Initially leveraging Apple’s mobile application testing platform, TestFlight, the threat actor shifted to a more advanced approach post-removal of their malicious app from the platform. Group-IB researchers note that the threat actor does not exploit any vulnerabilities. Instead, GoldFactory employs a multi-stage social engineering scheme to manipulate victims into granting all the necessary permissions, enabling the installation of malware. Through this scheme, victims were persuaded to install a Mobile Device Management (MDM) profile, granting the threat actor complete control over their devices. MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and gain the information they need.
...
GoldPickaxe doesn’t directly steal the money from the victim’s phone. Instead, it collects all the necessary information from the victim to create video deepfakes and autonomously access the victim’s banking application. Facial recognition is actively used by Thai financial organizations for transaction verification and login authentication. During the research, Group-IB established that the Trojan unequivocally possesses the capability to prompt victims to scan their faces and submit ID photos. Nevertheless, Group-IB researchers have not observed documented cases of cybercriminals utilizing this stolen data to gain unauthorized access to victims’ bank accounts in the wild. Group-IB’s hypothesis suggests that the cybercriminals are using their own, allegedly Android, devices to log into victims’ bank accounts. The Thai police confirmed Group-IB’s assumption, stating that cybercriminals are installing banking applications on their own Android devices and using captured face scans to bypass facial recognition checks and carry out unauthorized access to victim accounts.
...
Group-IB attributes the entire threat cluster to a single, highly sophisticated Chinese-speaking threat actor dubbed GoldFactory. Debugging strings in Chinese were found throughout all the malware variants and their C2 panels were also in Chinese.
...
For a detailed examination of GoldFactory’s tactics, techniques, and procedures, along with the list of indicators of compromise, visit Group-IB’s fresh blog post.
For banks and financial organizations, Group-IB experts recommend implementing a user session monitoring system such as Group-IB’s Fraud Protection to detect the presence of malware and block anomalous sessions before the user enters any personal information. Recommendations for end-users are as follows: avoid clicking on suspicious links, use official app stores to download applications, review the permissions of all apps, avoid adding unknown contacts, verify the legitimacy of bank communications, and act promptly if fraud is suspected by contacting your bank.
GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection. The team comprises separate development and operator groups dedicated to specific regions.The announcement of Thailand’s policy on facial biometric verification, released in March 2023 and enforced by July, coincided with the discovery of the earliest traces of GoldPickaxe in early October. A total of three months was enough for the group to research, develop, and test new facial recognition data collection features.
Zum Vergrößern anklicken....
 
Zuletzt bearbeitet von einem Moderator:
Kannst bitte nicht einfach kommentarlos einen Nachrichtenartikel hier rein kopieren?

Edit: Naja, was heißt Nachrichtenartikel…
Eine Pressemitteilung.

Was möchtest du jetzt diskutieren? Ein „Trojaner“, den man aktiv installieren muss, über einen MDM und den es nur im asiatischen Raum gibt. Ja, supi.
 
Zuletzt bearbeitet:
Ich fand nicht, dass das kommentarlos war: zusammengefasst: Meiner Meinung nach: gefährlich.
Und: Trojaner täuschen immer über ihre tatsächliche Aktivität, können in ganz unterschiedlicher, harmlos wirkender Software enthalten sein. Eine Installation auf Wunsch des (getäuschten) Nutzers ist typisch.
Ich hielt das für eine Service-Info, da ich in deutschen Medien auf die Schnelle nichts dazu gefunden habe.
Wenns Seelenschmerzen macht: Bitte löschen!
 
Habe den Thread-Titel mal übersetzen lassen und angepasst, sowie den kopierten Textinhalt in Zitat-Marken gesetzt.
Zuerst vermutete ich Spam.
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Zurück
Oben Unten