Full Report
Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services. The activity, observed since October 2024, involves distributing modified banking applications that act as a conduit for Android malware, Group-IB said in a technical
Analysis Summary
# Threat Actor: GoldFactory
## Attribution & Identity
* **Identification:** Financially motivated cybercrime group.
* **Known Aliases:** GoldFactory.
* **Known Associations:** Close connections to the Chinese-speaking cybercrime group associated with the **Gigabud** Android malware (sharing similarities in impersonation targets and landing pages).
## Activity Summary
* **Campaign Period:** Observed activity since October 2024, assessed to be active as far back as June 2023.
* **Recent Campaign:** Staging a fresh round of attacks targeting mobile users by impersonating government services.
* **Scope & Impact:** Identified over 300 unique samples of modified banking applications, leading to almost 2,200 confirmed infections in Indonesia, and over 11,000 total infections across targeted regions. The bulk (63%) of the altered apps catered to the Indonesian market.
* **Historical Activities:** Gained attention early last year (2024) for using custom malware families like GoldPickaxe, GoldDigger, and GoldDiggerPlus targeting Android and iOS.
## Tactics, Techniques & Procedures
* **Delivery Mechanism:** Distributing modified banking applications.
* **Social Engineering:** Impersonation of government entities and trusted local brands. Approaching targets over the phone, often citing urgent issues (e.g., overdue electricity bills), and instructing victims to install malware via links sent on messaging apps (like Zalo).
* **Distribution:** Links redirect victims to fake landing pages masquerading as Google Play Store app listings.
* **Payload Deployment:** Deploys a Remote Access Trojan (RAT) such as **Gigabud**, **MMRat**, or **Remo** as a dropper.
* **Core Functionality:** The malware abuses **Android's accessibility services** to facilitate remote control of the device.
* **Malware Modification:** Injects malicious code into a portion of the original mobile banking application, allowing the original app functionality to remain while bypassing security controls.
* **Hooking Frameworks Used:** Utilizes various runtime hooking frameworks:
* **FriHook:** Employs a **Frida** gadget injected into the legitimate app.
* **SkyHook:** Uses the publicly available **Dobby** framework.
* **PineHook:** Utilizes the Java-based hooking framework **Pine**.
* **Malicious Module Capabilities:**
* Bypass screencast detection.
* Hide the list of applications with accessibility services enabled.
* Spoof the signature of an Android application.
* Hide the installation source.
* Implement custom integrity token providers.
* Obtain victim account balances.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text, but tactics align with T1219 (Remote Access Software) and T1566.002 (Phishing: Spearphishing Link) within the Mobile context.
## Targeting
* **Sectors:** Users of mobile banking services, with specific impersonation noted against the power utility sector (e.g., Vietnam's EVN).
* **Geography:** Southeast Asia, specifically **Indonesia**, **Thailand**, and **Vietnam**.
* **Victims:** General mobile users in the targeted regions.
## Tools & Infrastructure
* **Malware Families Used:** GoldPickaxe, GoldDigger, GoldDiggerPlus, Gigabud, MMRat, Remo.
* **Infrastructure:** Fake landing pages masquerading as Google Play Store listings; communication utilized messaging apps like **Zalo**.
* **URLs/IPs:** No specific URLs or IPs were provided/defanged in the context provided.
## Implications
GoldFactory represents a sophisticated, financially motivated threat leveraging highly customized techniques (runtime hooking via Frida/Dobby/Pine) to deeply compromise mobile banking applications. Their adaptation to local conditions by impersonating government services and local brands suggests a high potential for rapid evolution and significant financial impact on banking customers in Southeast Asia. The modular malware structure allows for function overlap while maintaining operational flexibility.
## Mitigations
* Educate users against installing applications provided via links received through SMS or messaging apps, especially when told to bypass standard app stores.
* Exercise extreme caution regarding unsolicited calls from entities claiming to be government services or utility providers demanding immediate action or payment via links.
* System administrators and security teams should focus on monitoring for unusual accessibility service permissions granted to banking applications.
* Implement controls to detect and block connections to known malicious infrastructure (once observed).