深度伪造威胁：GoldFactory发布先进的银行木马

A threat actor codenamed GoldFactory has been attributed to the development of highly sophisticated banking trojans, including a previously undocumented iOS malware called GoldPickaxe that's capable of harvesting identity documents, facial recognition data, and intercepting SMS.

一名被称为GoldFactory的威胁行为者被认为是开发高度复杂的银行木马的幕后推手，其中包括一种先前未被记录的iOS恶意软件GoldPickaxe，该恶意软件能够收集身份证件、面部识别数据并拦截短信。

"The GoldPickaxe family is available for both iOS and Android platforms," Singapore-headquartered Group-IB said in an extensive report shared with The Hacker News. "GoldFactory is believed to be a well-organized cybercrime group with close connections to Gigabud."

总部位于新加坡的Group-IB在与The Hacker News分享的详细报告中表示：“GoldPickaxe系列适用于iOS和Android平台，GoldFactory被认为是一支组织有序的犯罪团伙，与Gigabud有密切联系。”

Active since at least mid-2023, GoldFactory is also responsible for another Android-based banking malware called GoldDigger and its enhanced variant GoldDiggerPlus as well as GoldKefu, an embedded trojan inside GoldDiggerPlus.

GoldFactory至少自2023年中期以来一直活跃，还负责另一款名为GoldDigger及其增强变体GoldDiggerPlus以及GoldDiggerPlus内嵌的恶意软件GoldKefu的基于Android的银行木马。

Social engineering campaigns distributing the malware have been found to target the Asia-Pacific region, specifically Thailand and Vietnam, by masquerading as local banks and government organizations.

通过伪装成当地银行和政府组织，社会工程攻击分发了该恶意软件，针对亚太地区，特别是泰国和越南。

In these attacks, prospective victims are sent smishing and phishing messages and guided to switch the conversation to instant messaging apps like LINE, before sending bogus URLs that lead to the deployment of GoldPickaxe on the devices.

在这些攻击中，潜在受害者收到虚假的smishing和phishing消息，并被引导将对话切换到即时通讯应用程序，如LINE，然后发送通往GoldPickaxe部署的虚假URL。

Some of these malicious apps targeting Android are hosted on counterfeit websites resembling Google Play Store pages or fake corporate websites to complete the installation process.

一些针对Android的恶意应用程序托管在伪装成Google Play Store页面或虚假企业网站的网站上，以完成安装过程。

GoldPickaxe for iOS, however, employs a different distribution scheme, with successive iterations leveraging Apple's TestFlight platform and booby-trapped URLs that prompt users to download an Mobile Device Management (MDM) profile to grant complete control over the iOS devices and install the rogue app.

然而，GoldPickaxe for iOS采用不同的分发方案，使用苹果的TestFlight平台和诱使用户下载Mobile Device Management（MDM）配置文件的陷阱URL来实现对iOS设备的完全控制并安装恶意应用程序。

Both these propagation mechanisms were disclosed by the Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB), respectively, in November 2023.

这两种传播机制是由泰国银行业CERT（TB-CERT）和网络犯罪调查局（CCIB）在2023年11月分别披露的。

The sophistication of GoldPickaxe is also evident in the fact that it's designed to get around security measures imposed by Thailand that require users to confirm larger transactions using facial recognition to prevent fraud.

GoldPickaxe的复杂性还体现在它被设计为绕过泰国强制用户使用面部识别确认更大交易以防止欺诈的安全措施。

"GoldPickaxe prompts the victim to record a video as a confirmation method in the fake application," security researchers Andrey Polovinkin and Sharmine Low said. "The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services."

“GoldPickaxe提示受害者在虚假应用程序中录制视频作为确认方法，”安全研究人员Andrey Polovinkin和Sharmine Low说。“录制的视频然后被用作由面部交换人工智能服务促成的深度伪造视频的原材料。”

Furthermore, the Android and iOS flavors of the malware are equipped to collect the victim's ID documents and photos, intercept incoming SMS messages, and proxy traffic through the compromised device. It's suspected that the GoldFactory actors use their own devices to sign-in to the bank application and perform unauthorized fund transfers.

此外，该恶意软件的Android和iOS版本都配备了收集受害者身份证件和照片、拦截传入短信消息以及通过受损设备代理流量的功能。据怀疑，GoldFactory的行为者使用自己的设备登录到银行应用程序并执行未经授权的资金转账。

That having said, the iOS variant exhibits fewer functionalities when compared to its Android counterpart owing to the closed nature of the iOS operating system and relatively stricter nature of iOS permissions.

然而，由于iOS操作系统的封闭性和相对严格的iOS权限，与其Android版本相比，iOS变体的功能较少。

The Android version – considered an evolutionary successor of GoldDiggerPlus – also poses as over 20 different applications from Thailand's government, the financial sector, and utility companies to steal login credentials from these services. However, it's currently not clear what the threat actors do with this information.

这款被认为是GoldDiggerPlus进化版的Android版本还冒充泰国政府、金融部门和公用事业公司的20多个不同应用程序，以窃取这些服务的登录凭据。然而，目前尚不清楚威胁行为者对这些信息采取何种行动。

Another notable aspect of the malware is its abuse of Android's accessibility services to log keystrokes and extract on-screen content.

该恶意软件的另一个显著特点是滥用Android的辅助服务，记录按键和提取屏幕内容。

GoldDigger also shares code-level similarities to GoldPickaxe, although it is chiefly designed to steal banking credentials, while the latter is geared more towards gathering of personal information from victims. No GoldDigger artifacts aimed at iOS devices have been identified to date.

GoldDigger还与GoldPickaxe存在代码级相似之处，尽管GoldDigger主要设计用于窃取银行凭据，而GoldPickaxe更侧重于从受害者那里收集个人信息。迄今为止，尚未发现针对iOS设备的GoldDigger遗物。

"The primary feature of GoldDigger is that it targets over 50 applications from Vietnamese financial companies, including their packages' names in the trojan," the researchers said. "Whenever the targeted applications open, it will save the text displayed or written on the UI, including passwords, when they are entered."

“GoldDigger的主要特点是它针对越南金融公司的50多个应用程序，包括木马中的包名称，”研究人员说。“每当目标应用程序打开时，它都会保存UI上显示或写入的文本，包括输入的密码。”

The base version of GoldDigger, which was first discovered in June 2023 and continues to be still in circulation, has since paved the way for more upgraded variants, including GoldDiggerPlus, which comes embedded with another trojan APK component dubbed GoldKefu, to unleash the malicious actions.

首次发现于2023年6月并仍然在传播中的GoldDigger的基础版本已经为GoldDiggerPlus等升级版本铺平了道路，后者嵌入了另一款名为GoldKefu的木马APK组件，以展开恶意活动。

GoldDiggerPlus is said to have emerged in September 2023, with GoldKefu impersonating a popular Vietnamese messaging app to siphon banking credentials associated with 10 financial institutions.

据说GoldDiggerPlus于2023年9月首次亮相，GoldKefu冒充一款流行的越南即时通讯应用程序，以窃取与10家金融机构相关的银行凭据。

The Android trojan, which is used in conjunction with GoldKefu, uses fake overlays to collect the login information if the most recently opened application belongs to the target list, unlike GoldDigger which relies mainly on Android's accessibility services.

该Android木马与GoldKefu一起使用虚假覆盖层，以在最近打开的应用程序属于目标列表时收集登录信息，与主要依赖于Android的辅助服务的GoldDigger有所不同。

Goldkefu also integrates with the Agora Software Development Kit (SDK) to facilitate interactive voice and video calls and trick victims into contacting a bogus bank customer service by sending fake alerts that induce a false sense of urgency by claiming that a fund transfer to the tune of 3 million Thai Baht has taken place on their accounts.

Goldkefu还集成了Agora Software Development Kit（SDK），以促进互动语音和视频通话，并通过发送虚假警报诱使受害者与虚假的银行客户服务联系，声称在他们的账户上发生了300万泰铢的资金转账，从而制造一种紧急感。

If anything, the development is a sign that the mobile malware landscape remains a lucrative market for cybercriminals looking for quick financial gain, even as they find ways to circumvent defensive measures erected by banks to counter such threats. It also demonstrates the ever-shifting and dynamic nature of social engineering schemes that aim to deliver malware to victims' devices.

如果说有什么，这一发展表明移动恶意软件领域仍然是寻求快速财务收益的网络罪犯的利润丰厚的市场，即使他们找到了绕过银行建立的防御措施的方法。它还展示了社会工程计划的不断变化和动态性，旨在将恶意软件传递到受害者的设备上。

To mitigate the risks posed by GoldFactory and its suite of mobile banking malware, it's strongly advised not to click on suspicious links, install any app from untrusted sites, as they are a common vector for malware, and periodically review the permissions given to apps, particularly those requesting for Android's accessibility services.

为了减轻GoldFactory及其一系列移动银行木马带来的风险，强烈建议不要点击可疑链接，不要从不受信任的站点安装任何应用程序，因为它们是恶意软件的常见传播途径，并定期审查授予应用程序的权限，特别是那些请求Android辅助服务的权限。

"GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection," the researchers said. "The team comprises separate development and operator groups dedicated to specific regions."

"GoldFactory是一支善于使用各种战术的资源丰富的团队，包括冒充、辅助服务按键记录、虚假银行网站、虚假银行警报、虚假来电屏幕、身份和面部识别数据收集，"研究人员说。"该团队由专门负责特定地区的开发和操作组成，具有高度的恶意软件开发熟练度。"

"The gang has well-defined processes and operational maturity and constantly enhances its toolset to align with the targeted environment showcasing a high proficiency in malware development."

"该团伙拥有明确定义的流程和运营成熟度，并不断提升其工具集以与目标环境相匹配，展示了在恶意软件开发方面的高水平熟练度。"

原文始发于微信公众号（知机安全）：深度伪造威胁：GoldFactory发布先进的银行木马