ESET Threat Report: Infostealers using AI & banking malware creating deepfake videos to steal money

A view of the H1 2024 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts.

By Jiří Kropáč – ESET Director of Threat Detection

These past six months painted a dynamic landscape of Android Financial threats – malware going after victims’ mobile banking funds – be it in the form of “traditional” banking malware or, more recently, cryptostealers.

A curious newcomer on this scene is GoldPickaxe, new mobile malware capable of stealing facial recognition data to create deepfake videos used by the malware’s operators to authenticate fraudulent financial transactions. Armed with both Android and iOS versions, this threat has been targeting victims in Southeast Asia through localized malicious apps. As ESET researchers dug into this malware family, they discovered that an older Android sibling of GoldPickaxe, called GoldDiggerPlus, has also tunneled its way to Latin America and South Africa by actively targeting victims in these regions.

Keeping up with the times, infostealing malware can now be found impersonating generative AI tools as well. In H1 2024, Rilide Stealer was spotted misusing the names of generative AI assistants, such as OpenAI’s Sora and Google’s Gemini, to entice potential victims. In another malicious campaign, the Vidar infostealer was lurking behind a supposed Windows desktop app for AI image generator Midjourney – even though Midjourney’s AI model is only accessible via Discord. Since 2023, we have been increasingly seeing cybercriminals abusing the AI theme – a trend that is expected to continue.

Gaming enthusiasts who venture out from official gaming ecosystems could unfortunately discover that infostealer threats have also found a way to spoil their favorite hobby: some cracked video games and cheating tools used in online multiplayer games were recently found to contain infostealer malware such as Lumma Stealer and RedLine Stealer.

RedLine Stealer saw several detection spikes in H1 2024, caused by one-off campaigns in Spain, Japan, and Germany. Although this “Infostealer-as-a-Service” suffered a disruption in 2023 and appears no longer to be under active development, its recent waves were so significant that RedLine Stealer detections in H1 2024 surpassed those from H2 2023 by a third.

Balada Injector, a gang notorious for exploiting WordPress plugin vulnerabilities, continued to run rampant in the first half of 2024, compromising over 20,000 websites and racking up over 400,000 hits in ESET telemetry for the variants used in the gang’s recent campaign.

On the ransomware scene, former leading player LockBit was knocked off its pedestal by Operation Chronos, a global disruption conducted by law enforcement in February 2024. Although ESET telemetry recorded two notable LockBit campaigns in H1 2024, these were found to be the result of non-LockBit gangs using the leaked LockBit builder.

The Ebury botnet, previously examined in ESET’s 2014 white paper Operation Windigo, remains dangerous even ten years later: recent investigation by ESET researchers uncovered that this threat has compromised nearly 400,000 servers since 2009. Although Ebury’s toolkit was already substantial at the time of the original research, these latest findings revealed expanded functionalities of the botnet, focusing mostly on monetization methods such as cryptocurrency and credit card theft.

LEAVE A REPLY

Please enter your comment!
Please enter your name here