The past six months have seen a dynamic landscape of financial threats to Android: malware that steals funds from victims’ mobile banking, whether in the form of “traditional” banking malware or, more recently, cryptocurrency thieves.
A curious development on this scene is GoldPickaxe, a new mobile malware capable of stealing facial recognition data to create deepfake videos, which are used by malware operators to authenticate fraudulent financial transactions. Armed with Android and iOS versions, this threat has targeted victims in Southeast Asia via localized malicious apps. As ESET researchers dug deeper into this malware family, they discovered that a bigger brother of GoldPickaxe for Android, called GoldDiggerPlus, has also made its way into Latin America and South Africa by actively attacking victims in these regions.
Adapting to modern times, information-stealing malware masquerading as generative AI tools can now also be found. In the first half of 2024, Rilide Stealer was detected misusing the names of generative AI assistants, such as OpenAI’s Sora and Google’s Gemini, to lure potential victims. In another malicious campaign, the Vidar information stealer was seen lurking behind a supposed Windows desktop app for the AI image generator Midjourney, despite the fact that Midjourney’s AI model can only be accessed via Discord. Since 2023, we have seen more and more cybercriminals abusing AI, a trend that is expected to continue.
Unfortunately, gaming enthusiasts who venture outside of official ecosystems might find that information-stealing threats have also found a way to spoil their favorite pastime: some cracked video games and cheat tools used in online multiplayer games were recently found to contain information-stealing malware such as Lumma Stealer and RedLine Stealer.
RedLine Stealer experienced several detection spikes in H1 2024, caused by one-off campaigns in Spain, Japan, and Germany. Although this Infostealer-as-a-Service was discontinued in 2023 and appears to be no longer in active development, its recent waves were so significant that RedLine Stealer detections in H1 2024 exceeded those in H2 2023 by a third.
Balada Injector, a gang known for exploiting WordPress plugin vulnerabilities, in the first half of 2024 compromised over 20,000 websites and racked up over 400,000 detections in ESET telemetry for variants used in the recent ESET campaign. gang.
On the ransomware scene, former leader LockBit was taken down by Operation Chronos, a global disruption carried out by law enforcement in February 2024. Although ESET telemetry recorded two notable LockBit campaigns in the first half of 2024 , these were found to be the result of non-LockBit gangs using the leaked LockBit generator.
The Ebury botnet, previously examined in ESET’s 2014 white paper Operation Windigo, remains dangerous even ten years later: recent research by ESET researchers found that this threat has compromised nearly 400,000 servers since 2009. While Ebury’s toolset was already substantial at the time of the original research, these latest findings revealed expanded functionalities of the botnet, primarily focusing on monetization methods such as cryptocurrency and credit card theft.
Access the full report here:
Follow ESET Research on Twitter for regular updates on key trends and top threats.
To learn more about how threat intelligence can improve your organization’s cybersecurity posture, visit the threat intelligence page.
To learn more about how threat intelligence can improve your organization’s cybersecurity, visit the ESET Threat Intelligence page.
