GoldFamily (Remote Access Trojan) – Malware

GoldFamily
Type of Malware	Remote Access Trojan
Country of Origin	China
Date of initial activity	February 2024
Targeted Countries	Thailand and Vietnam
Associated Groups	GoldFactory
Motivation	Data theft
Type of information Stolen	Biometrics (facial recognition data) and banking credentials
Attack Vectors	The threat actors behind GoldFamily leverage social engineering tactics to lure victims into scanning their faces. They then convince the victims to provide highly confidential identification documents. The targeted victims are phished via email, SMS smishing, or messages on platforms such as the LINE app. The messages seem to be well-written and convincingly impersonate government services and authorities.
Targeted System	iOS

Overview

Cybersecurity researchers at InfoBlox recently discovered GoldFamily, an advanced version of the GoldDigger trojan, targeting iOS devices to steal facial recognition data and bank access credentials using AI for biometric authentication attacks. The use of AI by GoldFamily makes it particularly dangerous, as it can successfully attack authentication processes, including certain types of biometrics that were previously considered secure. GoldFamily includes a variant of the Android trojan called GoldDigger, which was initially discovered in October 2023.

Targets

iPhone and iPad users from finantial institutions.

How they operate

GoldFamily has been designed to target both Android (GoldDigger) and iOS users. Android victims are manipulated into directly installing the malicious app, while iOS users are directed to install a disguised Mobile Device Management (MDM) profile. MDM allows remote device configuration, enabling threat actors to install malicious applications. For iOS (iPhone) users, the threat actors direct them to a TestFlight URL to install the malicious app. Once installed, GoldFamily operates to capture facial data, intercept incoming SMS messages, request and capture images of ID cards and other sensitive authentication data, and act as a network traffic proxy using a tool called MicroSocks. On iOS devices, the malware uses a web socket channel to communicate with the command and control (C2) server. The available communications include a heartbeat function to ping the C2 server, an init function to send device information to the C2, a face photo request to the victim, a false device in use message to prevent interruptions, an album command to sync the photo library data and exfiltrate it to a cloud bucket, and finally, a destroy command to stop the trojan. Once the GoldFamily threat actors have the facial scans, they use artificial intelligence to perform face swaps. The resulting modified images are deep fakes. These deep fake images, combined with intercepted SMS messages, are then used to gain access to victims’ bank accounts.