Feb 19 2024

First Ever IOS Trojan Steals Facial Recognition Data

Category: Trojandisc7 @ 9:53 am

A novel, very sophisticated mobile Trojan dubbed GoldPickaxe.iOS that targets iOS users exclusively was discovered to collect facial recognition data, intercept SMS, and gather identity documents.

The Asia-Pacific region includes the majority of those impacted by this harmful activity. On the other hand, two APAC countries that deserve particular consideration are Vietnam and Thailand.

The GoldPickaxe family, which comes in iOS and Android variants, is based on the GoldDigger Android Trojan (discovered in October 2023) and receives frequent modifications to improve its functionality and avoid detection. 

“To exploit the stolen biometric data from iOS and Android users, the threat actor creates deepfakes using AI face-swapping services to replace their faces with those of the victims. This method could be used by cybercriminals to gain unauthorized access to victims’ bank accounts”, Group-IB researchers shared with Cyber Security News.

Timeline Of GoldFactory’s Trojans

Group-IB has linked the entire threat cluster to a single threat actor known as GoldFactory, which has created an advanced collection of mobile banking malware.

Timeline of GoldFactory’s Trojans
Timeline of GoldFactory’s Trojans

The traditional Android banking Trojan GoldDigger exploits Accessibility Service to provide hackers access to the device. Another Android malware that increases GoldDigger’s capability is called GoldDiggerPlus. 

GoldDiggerPlus features an embedded Trojan called GoldKefu, which contains web fakes and allows real-time voice conversations with victims. A Trojan called GoldPickaxe was created for the iOS and Android operating systems used to obtain and exfiltrate biometric data and personal information from victims.

GoldPickaxe.IOS Employs A Notable Distribution Scheme

Thai financial institutions extensively utilize facial recognition for login authentication and transaction verification. Because of this, GoldPickaxe’s facial recognition video capture and unique features give attackers the chance to access bank accounts without authorization.

GoldPickaxe Trojans extract money from victims’ devices
GoldPickaxe Trojans extract money from victims’ devices

Hackers are using their own Android smartphones to install banking apps, and they are exploiting the captured face scans to get over facial recognition security measures and gain unauthorized access to victims’ accounts.

Screenshots displaying how GoldPickaxe for Android captures a facial biometric profile
Screenshots displaying how GoldPickaxe for Android captures a facial biometric profile

Cybercriminals pose as government officials in Thailand and convince victims to utilize LINE, one of the nation’s most widely used chat services. The LINE user needs to add another as a friend to initiate a chat.

 â€œMalicious links are distributed through messengers to encourage the installation of the app. Victims are then lured into a fraudulent application posing as a ‘Digital Pension’ app, purportedly enabling them to receive their pension digitally”, according to Thailand Banking Sector CERT (TB-CERT).

Researchers noticed in one instance the CryptoRAM campaigns, in which fraudsters disseminated fake cryptocurrency applications by using Apple’s TestFlight platform. 

Another technique is manipulating Apple devices using Mobile Device Management (MDM). MDM is an all-inclusive and centralized approach to controlling and safeguarding mobile devices inside an organization, including tablets and smartphones.

Thus, a proactive and comprehensive strategy for cybersecurity must include user education and integrated current security techniques to proactively identify the introduction of new Trojans and alert end users.

Our Biometric Future: Facial Recognition Technology and the Culture of Surveillance (Critical Cultural Communication

Viruses, Hardware and Software Trojans: Attacks and Countermeasures

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Facial Recognition Data


Jul 30 2021

Android Banking Trojan Vultur uses screen recording for credentials stealing

Category: TrojanDISC @ 11:15 pm

Experts spotted a new strain of Android banking Trojan dubbed Vultur that uses screen recording and keylogging for the capturing of login credentials.

ThreatFabric researchers discovered a new Android banking Trojan, tracked as Vultur, that uses screen recording and keylogging to capture login credentials.

Vultur was first spotted in late March 2021, it gains full visibility on victims’ devices via VNC (Virtual Network Computing) implementation taken from AlphaVNC.

“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as main strategy to harvest login credentials in an automated and scalable way. The actors chose to steer away from the common HTML overlay strategy we usually see in other Android banking Trojans: this approach usually requires more time and effort from the actors in order to steal relevant information from the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.” reads the analysis published by ThreatFabric.

Most of the apps targeted by Vultur belong to banks in Italy, Australia and Spain, experts discovered a link with a popular dropper framework called Brunhilda.

Viruses, Hardware and Software Trojans: Attacks and Countermeasures

Tags: Banking Trojan, credentials stealing


Jun 14 2021

SEO poisoning campaign aims at delivering RAT, Microsoft warns

Category: TrojanDISC @ 1:04 pm

Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data.

Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems

The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.

Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.

Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.

RATS! How Hackers Take Over Your Computer: An Introduction to Remote Access Trojans by [James Wilson]

Tags: remote access trojan (RAT)


May 20 2021

Bizarro Banking Trojan

Category: TrojanDISC @ 9:33 am


May 06 2021

A taste of the latest release of QakBot

Category: TrojanDISC @ 7:59 am

one of the most popular and mediatic trojan bankers active since 2007.

The malware QakBot, also known as Qbot, Pinkslipbot, and Quakbot is a banking trojan that has been made headlines since 2007. This piece of malware is focused on stealing banking credentials and victim’s secrets using different techniques tactics and procedures (TTP) which have evolved over the years, including its delivery mechanisms, C2 techniques, and anti-analysis and reversing features.

Emotet is known as the most popular threat distributing QakBot in the wild, nonetheless, Emotet has been taken down recently, and QakBot operators are using specially target campaigns to disseminate this threat around the globe.


Apr 13 2021

Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again)

Category: Malware,TrojanDISC @ 4:08 pm

What’s the craic? Aunty Beeb’s anonymous scribblers sit back and wonder why—“Iran says key Natanz nuclear facility hit by sabotage”:

 The country’s top nuclear official 
 Ali Akbar Salehi, did not say who was to blame for the “terrorist act”, which caused a power failure 
 a day after it unveiled new uranium enrichment equipment. 
 Israeli public media, however, cited intelligence sources who said it was the result of an Israeli cyber-attack.


On Saturday, Iran’s President Hassan Rouhani inaugurated new centrifuges at the Natanz site in a ceremony that was broadcast live. 
 It represented another breach of the country’s undertakings in the 2015 deal, which only permits Iran to produce and store limited quantities of enriched uranium. [The] deal, known as the Joint Comprehensive Plan of Action (JCPOA), has been in intensive care since Donald Trump pulled the US out of it.


Later state TV read out a statement by 
 Atomic Energy Organisation of Iran (AEOI) 
 head Ali Akbar Salehi, in which he described the incident as “sabotage” and “nuclear terrorism.” 
 Last July, sabotage was blamed for a fire at the Natanz site which hit a central centrifuge assembly workshop.

Thorn in my side? Ronen Bergman, Rick Gladstone, Farnaz Fassihi, David E. Sanger, Eric Schmitt, Lara Jakes, Gerry Mullany and Patrick Kingsley tag-team thuswise—“Blackout Hits Iran Nuclear Site in What Appears to Be Israeli Sabotage”:

 [The] power failure 
 appeared to have been caused by a deliberately planned explosion. 
 American and Israeli intelligence officials said there had been an Israeli role. Two intelligence officials briefed on the damage said it had been caused by a large explosion that completely destroyed the 
 power system that supplies the underground centrifuges.


The officials, who spoke on the condition of anonymity to describe a classified Israeli operation, said that the explosion had dealt a severe blow to Iran’s ability to enrich uranium and that it could take at least nine months to [recover]. Some Iranian experts dismissed initial speculation that a cyberattack could have caused the power loss.


The United States and Israel have a history of covert collaboration, dating to the administration of President George W. Bush, to disrupt Iran’s nuclear program. The best-known operation under this collaboration 
 was a cyberattack disclosed during the Obama administration that disabled nearly 1,000 centrifuges at Natanz.

Source: Son of Stuxnet? Iran Nuke Site Hacked ‘by Israel’ (Again)

Tags: Stuxnet


Mar 07 2021

Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

Category: App Security,TrojanDISC @ 6:44 pm

If you’ve ever used the Python programming language, or installed software written in Python, you’ve probably used PyPI, even if you didn’t realize it at the time.

PyPI is short for the Python Package Index, and it currently contains just under 300,000 open source add-on modules (290,614 of them when we checked [2021-03-07T00:10Z]).

You can download and install any of these modules automatically just by issuing a command such as pip install [nameofpackage], or by letting a software installer fetch the missing components for you.

Crooks sometimes Trojanise the repository of a legitimate project, typically by guessing or cracking the password of a package owner’s account, or by helpfully but dishonestly offering to “assist” with a project that the original owner no longer has time to look after.

Once the fake version is uploaded to the genuine repository, users of the now-hacked package automatically get infected as soon as they update to the new version, which works just as it did before, except that it includes hidden malware for the crooks to exploit.

Another trick involves creating Trojanised public versions of private packages that the attacker knows are used internally by a software company.

more on: Poison packages

Tags: Poison packages, Python


Jun 03 2020

RATs 101: The Grimy Trojans That Scurry Through Remote Access Pipes

Category: TrojanDISC @ 2:09 pm

Remote Access Trojans (RATs) can be the beginning of very bad things on your network or workstations.

Source: RATs 101: The Grimy Trojans That Scurry Through Remote Access Pipes

Remote access trojans (RATs) may not induce the same sort of nightmares as angry cannibal rats, but they can still be terror-inducing if they hit your network and workstations. Because there’s nothing like turning control of your resources over to someone you don’t know to make the job of IT security completely rat-tastic.



How easy is it to RAT Someone?
httpv://www.youtube.com/watch?v=t4CRx-aoynU



Download a Security Risk Assessment steps paper!

Subscribe to DISC InfoSec blog by Email





Jun 19 2019

Hackers Disguise New JavaScript-Based Trojan as Game Cheat

Category: TrojanDISC @ 10:06 am

Researchers discovered a new JavaScript-based and modular downloader Trojan camouflaged and distributed to targets in the form of game cheats via websites owned by its developers.

Source: Hackers Disguise New JavaScript-Based Trojan as Game Cheat

Worst JavaScript Flaws That Hackers Love To Abuse