GoldPickaxe Banking Trojan
A sophisticated threat actor known as GoldFactory, fluent in Chinese, has been identified as the creator of advanced banking Trojans. One of their latest creations is an undocumented iOS malware named GoldPickaxe, which is capable of harvesting identity documents and facial recognition data and intercepting SMS.
Researchers have verified that the GoldPickaxe family targets both iOS and Android platforms. The GoldFactory cybercrime group believed to be well-organized and Chinese-speaking, is closely linked to Gigabud.
Operating since at least mid-2023, GoldFactory is responsible for the development of the Android-based banking malware GoldDigger, along with its enhanced variant GoldDiggerPlus. Additionally, they have created GoldKefu, an embedded Trojan within GoldDiggerPlus.
Table of Contents
Attackers Utilize Various Phishing Techniques to Deploy GoldPickaxe
Threatening social engineering campaigns spreading malware have been identified, focusing on the Asia-Pacific region, particularly Thailand and Vietnam. The attackers disguise themselves as local banks and government entities.
In these targeted attacks, individuals receive deceptive smishing and phishing messages, prompting them to shift the conversation to instant messaging apps such as LINE. Subsequently, the attackers send fraudulent URLs, leading to the installation of GoldPickaxe on the victims' devices.
Certain unsafe applications designed for Android are hosted on counterfeit websites, mimicking Google Play Store pages or fake corporate sites, to carry out the installation process successfully.
New Tactics Displayed by the GoldFactory Cybercriminals
GoldPickaxe's distribution method for iOS differs, employing a unique approach. It utilizes Apple's TestFlight platform and employs booby-trapped URLs. These URLs encourage users to download a Mobile Device Management (MDM) profile, granting complete control over iOS devices and facilitating the installation of the rogue app. Both these distribution tactics were revealed by the Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB) in November 2023.
The sophistication of GoldPickaxe is further demonstrated by its ability to circumvent security measures imposed in Thailand. These measures mandate users to confirm more significant transactions using facial recognition to prevent fraud. GoldPickaxe ingeniously prompts victims to record a video as a confirmation method within the deceptive application. The recorded video serves as raw material for crafting deepfake videos through face-swapping artificial intelligence services.
Moreover, both the Android and iOS variants of the malware possess the capability to gather the victim's ID documents and photos, intercept incoming SMS messages and route traffic through the compromised device. There is suspicion that the GoldFactory actors use their own devices to sign in to bank applications and execute unauthorized fund transfers.
Differences Between the iOS and Android GoldPickaxe Versions
The iOS version of GoldPickaxe demonstrates fewer functionalities compared to its Android counterpart. This discrepancy is attributed to the closed nature of the iOS operating system and its relatively stringent permission protocols.
The Android variant, seen as an evolutionary successor to GoldDiggerPlus, disguises itself as over 20 different applications associated with Thailand's government, financial sector, and utility companies. Its primary goal is to pilfer login credentials from these services. However, the exact intentions of the threat actors with this gathered information remain unclear.
Another noteworthy characteristic of the malware is its exploitation of Android's accessibility services to record keystrokes and capture on-screen content.
