Rewterz Threat Alert – Chinese APT Leverages Deepfakes to Propagate Mobile Banking Gold Pickaxe Malware – Active IOCs

Severity

High

Analysis Summary

A new campaign launched by the infamous Chinese threat group “GoldFactory” is leveraging Gold Pickaxe, a newly discovered malware strain that targets Android and iOS devices. First discovered in October 2023, this malware operates silently in the background, stealing sensitive information and manipulating the targeted device for malicious purposes.

This group, active since at least mid-2023, is also responsible for other malware strains such as “Gold Digger”, “Gold Digger Plus”, and “Gold Kefu”. Researchers discovered that the social engineering campaigns distributing the malware usually target the Asia-Pacific region, most specifically Thailand and Vietnam, by posing as local banks and government organizations.

Gold Pickaxe lurks in phishing and smishing messages, often disguised as government notifications or service alerts on the LINE app. These messages trick users into downloading fraudulent apps, like a fake “Digital Pension” app, from websites mimicking Google Play. Once installed, the malware activates, initiating its data heist. This malware is capable of stealing facial scans and ID documents through fake verification prompts. This information is then believed to be used for creating deepfakes that grant unauthorized access to the victim’s bank account.

For iOS users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple removed the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. 

Meanwhile, the Android version also masquerades as more than 20 different applications from the government of Thailand, utility companies, and the financial sector to commit login credentials theft from these services. However, the purpose of stealing this information and what the threat actors do with it is currently unknown.

Gold Pickaxe also spies on the device activity, including keystrokes, browsing history, and app usage, to gather even more intel. Banking apps and other financial services are the prime targets, with the malware siphoning off the passwords and financial information. In certain instances, it can even seize complete control of the device, allowing remote access to the data present on it. The techniques used by Gold Pickaxe pose a global threat. Anyone who interacts with digital platforms is susceptible to its deceptive tactics.

It is important to stay vigilant in combating Gold Pickaxe by being wary of suspicious messages, and never clicking on links or downloading attachments from unknown sources. It is recommended to stick to official sources like Google Play and App Store for safe downloads. Keeping software updated with the latest security patches is crucial. Strong passwords and two-factor authentication add extra layers of protection. Caution is the key when sharing personal information online, and it is good practice to consider using a security app for an additional shield.

Impact

• Sensitive Information Theft
• Unauthorized Access
• Financial Loss

Indicators of Compromise

Domain Name

• ms2ve.cc
• hds6y.cc
• smgeo.cc
• www.dg1e.com
• zu7kt.cc
• ks8cb.cc
• wbke.cc
• t8bc.xyz
• bv8k.xyz
• wsy6.xyz
• wts3.xyz
• qskm.xyz
• tp7s.xyz

MD5

• 7231113878de608785971f00cad61c41
• fbd4f6896beab2fef51aa2ade6cad5ef
• 9d1cb40b4f5adee2dea3147bba593df6
• 45c2fd39f1e050f1b5228786ff85185e

SHA-256

• 4571f8c8560a8a66a90763d7236f55273750cf8dd8f4fdf443b5a07d7a93a3df
• b72d9a6bd2c350f47c06dfa443ff7baa59eed090ead34bd553c0298ad6631875
• d8834a21bc70fbe202cb7c865d97301540d4c27741380e877551e35be1b7276b
• b5dd9b71d2a359450d590bcd924ff3e52eb51916635f7731331ab7218b69f3b9

SHA-1

• aa71dd4b6358e99279be2f36092892d0ba06bca8
• 3bd4f55b4298c4a888425cfd8d17d994f227baa3
• 97a65053449f786552d08a6e1223a195138f8932
• 6c2c2503255f7b4a08b1801636b0ab3346a428ee

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Only download apps from official sources like Google Play and App Store.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Maintain daily backups of all computer networks and servers.