Beware, as a new iOS trojan dubbed GoldPickaxe has emerged, capable of stealing banking data, ID documents, and even facial data from infected devices.
Group-IB has discovered a new iOS Trojan, dubbed GoldPickaxe.iOS designed to steal facial recognition data, identity documents, and intercept SMS. The company’s Threat Intelligence Unit has attributed the entire threat cluster to a threat actor dubbed GoldFactory.
The GoldPickaxe family has been active since mid-2023, targeting the Asia-Pacific region, specifically Thailand and Vietnam and the attack method involves impersonating local banks and government organizations.
As per Group-IB, the threat actor exploits stolen biometric data using AI-driven face-swapping services to create deepfakes, allowing unauthorized access to a victim’s banking account, which is a new monetary theft technique.
In this campaign, GoldFactory has successfully used Mobile Device Management (MDM) to manipulate Apple devices, distributing its iOS Trojan by abusing TestFlight. Victims receive seemingly innocent URLs (e.g. testflight.apple.com/join/) leading to the installation of malicious software.
Another sophisticated method is tricking victims into interacting with fraudulent websites to install an MDM profile, allowing cybercriminals complete control over the victim’s device.
Thailand Banking Sector CERT (TB-CERT) has also reported that cybercriminals are distributing malicious links via messengers to lure victims into a fraudulent app posing as a ‘Digital Pension’ app. The app’s credibility is doubtful as Group-IB’s investigation confirmed multiple versions of GoldPickaxe impersonating official Thai government services, including the Digital Pension app for Thailand.
Researchers believe that the group may be engaging operators proficient in Thai and Vietnamese or possibly running a call center since an SMS written in Thai was found in the phishing campaign. In Thailand, cybercriminals impersonate government authorities and convince victims to use LINE, a popular messaging application.
According to Group-IB’s blog post, the gang reportedly employs a combination of smishing and phishing techniques to carry out their malicious activities in Vietnam and Thailand. Despite evidence that it is a Chinese-speaking group, the involvement/role of local cybercriminals cannot be ruled out when calls made to victims are examined.
It is worth noting that Group-IB previously discovered an Android Trojan, codenamed GoldDigger, stealing facial data, targeting over 50 Vietnamese banking applications, electronic wallets, and cryptocurrency wallets since June 2023.
The newly discovered GoldPickaxe family is based on the GoldDigger Android Trojan. However, researchers claim the infection chain for GoldPickaxe iOS variants is not significantly different for other Trojans within the GoldFactory family.
GoldPickaxe malware was developed using the same communication mechanism and cloud bucket URL as GoldDigger but has fewer functionalities compared to its Android sibling due to iOS’s closed nature and stricter permissions.
Both versions use fake login pages to access fake Digital pension applications, potentially avoiding detection. Another variant, GoldDiggerPlus, was also identified with extended GoldDigger’s functionality, allowing real-time call calls through a specially designed APK called GoldKefu. All Trojans identified are currently in the active stage of evolution.
“Overall, we identified four Trojan families that were used by cybercriminals. We maintained the naming convention by using the prefix Gold for the newly discovered malware as a symbolic representation that they have been developed by the same threat actor,” Group-IB researchers noted.
Researchers couldn’t identify the toolset GoldFactory uses, indicating that this is a highly organized and technically advanced group.
For your information, in March 2023, the Bank of Thailand mandated facial biometric verification for transactions exceeding 50,000 baht, and 200,000 baht per day, and raised credit transfer limits on mobile devices. As per Group-IB’s research, GoldPickaxe likely reached Vietnam in February 2024 when a Vietnamese citizen performed a facial recognition scan, withdrawing over 40,000 USD.
The State Bank of Vietnam plans to mandate facial authentication as a security measure for all money transfers from April 2024, indicating the potential exploitation of GoldPickaxe in the country. The use of GoldPickaxe in Vietnam is expected to increase assessed Group—IB.
“GoldFactory is a resourceful team, having many tricks up their sleeve: impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity and facial recognition data collection. Equipped with diverse tools, they have the flexibility to select and execute the most suitable one that fits the scenario,” researchers noted.
The report highlights the growing cybersecurity threat and the sophisticated techniques used by cybercriminals. They have refined GoldDigger malware, introduced new categories for facial recognition data harvesting, and developed a tool for communication between victims and cybercriminals. Group-IB researchers emphasize the need for proactive, multi-faceted cybersecurity measures, including user education.