Chinese Threat Actor GoldFactory Unveils Sophisticated Banking Trojans, Including iOS Malware GoldPickaxe, Targeting Asian Financial Institutions
Plus, Russian Threat Actor Turla Deploys TinyTurla-NG Backdoor in Campaign Targeting Polish NGOs
GoldFactory's Advanced Malware Campaigns Employ Social Engineering Tactics to Infiltrate Android and iOS Devices, Evading Traditional Security Measures
A Chinese-speaking threat actor known as GoldFactory has been identified as the creator of highly sophisticated banking trojans, unveiling a previously undocumented iOS malware named GoldPickaxe capable of harvesting sensitive personal data. Active since mid-2023, GoldFactory has also developed Android-based malware such as GoldDigger and its variants, targeting users in the Asia-Pacific region, particularly Thailand and Vietnam.
GoldPickaxe, distributed through social engineering campaigns, employs a variety of distribution methods including smishing and phishing messages, as well as fake URLs leading to the installation of the malware. Notably, the iOS variant leverages Apple's TestFlight platform and booby-trapped URLs to gain complete control over iOS devices.
The sophistication of GoldPickaxe extends to its ability to bypass security measures such as facial recognition for transaction confirmation. The malware prompts victims to record a video, later used to create deepfake videos with face-swapping AI services.
Both Android and iOS variants of GoldPickaxe are designed to intercept SMS messages, collect identity documents and photos, and proxy traffic through compromised devices. The Android version, an evolutionary successor of GoldDiggerPlus, targets over 20 applications from various sectors to steal login credentials.
GoldDigger, discovered in June 2023, targets Vietnamese financial applications and has spawned upgraded variants like GoldDiggerPlus, which embeds another trojan component named GoldKefu. GoldKefu, impersonating a popular Vietnamese messaging app, tricks victims into revealing banking credentials through fake alerts and overlays.
The emergence of GoldFactory's mobile banking malware underscores the evolving landscape of cyber threats, with social engineering schemes evolving to deliver malware while circumventing traditional security measures. To mitigate these risks, users are advised to avoid clicking on suspicious links, installing apps from untrusted sources, and regularly reviewing app permissions.
GoldFactory's operations reflect a high level of sophistication and operational maturity, with separate development and operator groups dedicated to specific regions. The group continuously enhances its toolset to adapt to targeted environments, posing significant challenges for cybersecurity defenses.
Turla Expands Arsenal with TinyTurla-NG, Utilizes Compromised WordPress Sites for Command-and-Control in Latest Campaign
The Russian-linked threat actor Turla has been identified deploying a new backdoor, TinyTurla-NG, in a targeted campaign spanning three months, aimed at Polish non-governmental organizations (NGOs) in December 2023. Cisco Talos, in a recent technical report, described TinyTurla-NG as a "last chance" backdoor deployed when other unauthorized access methods fail or are detected.
This backdoor shares similarities with TinyTurla, a previously documented implant used by Turla in intrusions targeting entities in the U.S., Germany, and Afghanistan since at least 2020. Turla, also known as Iron Hunter and Venomous Bear, is associated with the Russian Federal Security Service (FSB).
In addition to targeting Polish NGOs, Turla has recently focused on the defense sector in Ukraine and Eastern Europe, deploying a new .NET-based backdoor named DeliveryCheck, and upgrading its Kazuar implant, utilized since 2017.
The campaign involving TinyTurla-NG commenced on December 18, 2023, and continued until January 27, 2024, although suspicions suggest activity might have begun in November 2023 based on malware compilation dates. The distribution method of the backdoor remains unknown, but compromised WordPress-based websites serve as command-and-control (C2) endpoints, enabling the execution of commands via PowerShell or Command Prompt, as well as file download/upload.
Furthermore, TinyTurla-NG serves as a conduit for delivering PowerShell scripts labeled TurlaPower-NG, designed to extract key material used to secure password databases of popular password management software.
In a related development, Microsoft and OpenAI disclosed that Russian nation-state actors are exploring generative artificial intelligence tools, including large language models like ChatGPT, to understand satellite communication protocols, radar imaging technologies, and seek assistance with scripting tasks, underscoring the evolving sophistication of cyber threats.
Jobs/Internships:
Prodigy Education - Senior Data Scientist - Greater Toronto Area, Ontario · Hybrid
EasyPost - Staff Automation Engineer - Fully Remote
Expedition Technology - Senior Software Engineer - Full Stack - Herndon, Virginia, United States · On-site
Coinbase - Summer 2024 - Software Engineer Intern - Fully Remote
Chime - Software Engineer Intern, Savings - San Francisco, CA · Hybrid
Neuralink - Software Engineer Intern, Implant Team - Fremont, California, United States · On-site