A Chinese-backed threat group is stealing biometric data from bank clients so it can mimic them and illegally access their bank accounts. Group-IB, which unveiled the research, claims that it’s the first attack of this kind to use deepfakes.
The cybersecurity analyst describes GoldPickaxe, believed to be an offshoot of Chinese-speaking threat group GoldFactory, as “a previously unknown iOS trojan capable of collecting identity documents, facial recognition data, and intercepting SMS.”
Fresh research released today (February 15th) also describes GoldPickAxe as “the first iOS Trojan harvesting facial recognition data used for unauthorized access to bank accounts,” and also places it as part of the GoldDigger family of tools deployed by GoldFactory.
The GoldDigger arsenal was first spotted by Group-IB in October 2023, when the analyst observed it being deployed against some 50 finance targets in Vietnam.
Since this discovery, Group-IB’s threat intelligence unit says it “has been constantly monitoring this evolving threat and unearthed an entire cluster of aggressive banking Trojans actively targeting the Asia-Pacific (APAC) region.”
GoldPickaxe is predominantly being used against iOS users in Vietnam and Thailand, but Group-IB believes it has also been adapted to go after Android targets.
“The GoldPickaxe family, which includes versions for iOS and Android, is based on the GoldDigger Android Trojan and features regular updates designed to enhance their capabilities and evade detection,” said Group-IB. “Its Android sibling has the same functionality but also exhibits other functionalities typical of Android Trojans.”
GoldPickaxe uses AI face-swapping techniques to create deepfakes from the stolen biometric data.
“This data, combined with ID documents and the ability to intercept SMS, enables cybercriminals to gain unauthorized access to the victim’s banking account – a new technique of monetary theft, previously unseen by Group-IB researchers in other fraud schemes,” the analyst claimed.
While Southeast Asian nations Thailand and Vietnam are for now the main focus of the Gold ‘franchise’ of cyberattacks, Group-IB believes the net could easily be cast more widely across the APAC region.
“While the current evidence points to a particular focus on two countries, there are emerging signs that GoldFactory’s geography of operations may be extended,” it said.
Group-IB did not name which banking brands had been impersonated during the attacks in its threat intelligence report but said it had notified all the institutions affected.
NB: Article was amended on same day of original publication to correct the headline, which previously inaccurately referred to the GoldPickaxe gang, and not the GoldFactory gang as is actually the case
Your email address will not be published. Required fields are markedmarked