GoldFamily

Type of Malware

Remote Access Trojan

Country of Origin

China

Date of initial activity

February 2024

Targeted Countries

Thailand and Vietnam 

Associated Groups

GoldFactory

Motivation

Data theft

Type of information Stolen

Biometrics (facial recognition data) and banking credentials

Attack Vectors

The threat actors behind GoldFamily leverage social engineering tactics to lure victims into scanning their faces. They then convince the victims to provide highly confidential identification documents. The targeted victims are phished via email, SMS smishing, or messages on platforms such as the LINE app. The messages seem to be well-written and convincingly impersonate government services and authorities.

Targeted System

iOS

Overview

Cybersecurity researchers at InfoBlox recently discovered GoldFamily, an advanced version of the GoldDigger trojan, targeting iOS devices to steal facial recognition data and bank access credentials using AI for biometric authentication attacks. The use of AI by GoldFamily makes it particularly dangerous, as it can successfully attack authentication processes, including certain types of biometrics that were previously considered secure. GoldFamily includes a variant of the Android trojan called GoldDigger, which was initially discovered in October 2023.

Targets

iPhone and iPad users from finantial institutions.

How they operate

GoldFamily has been designed to target both Android (GoldDigger) and iOS users. Android victims are manipulated into directly installing the malicious app, while iOS users are directed to install a disguised Mobile Device Management (MDM) profile. MDM allows remote device configuration, enabling threat actors to install malicious applications. For iOS (iPhone) users, the threat actors direct them to a TestFlight URL to install the malicious app. Once installed, GoldFamily operates to capture facial data, intercept incoming SMS messages, request and capture images of ID cards and other sensitive authentication data, and act as a network traffic proxy using a tool called MicroSocks. On iOS devices, the malware uses a web socket channel to communicate with the command and control (C2) server. The available communications include a heartbeat function to ping the C2 server, an init function to send device information to the C2, a face photo request to the victim, a false device in use message to prevent interruptions, an album command to sync the photo library data and exfiltrate it to a cloud bucket, and finally, a destroy command to stop the trojan. Once the GoldFamily threat actors have the facial scans, they use artificial intelligence to perform face swaps. The resulting modified images are deep fakes. These deep fake images, combined with intercepted SMS messages, are then used to gain access to victims’ bank accounts.

References:

• DNS EARLY DETECTION – BREAKING THE GOLDFAMILY KILL CHAINSpringtail: New Linux Backdoor Added to Toolkit

The post GoldFamily (Remote Access Trojan) – Malware first appeared on CyberMaterial.