The last six months have captured a dynamic Android financial threat landscape of malware that targets victims’ mobile bank accounts – either in the form of “traditional” banking malware or, more recently, in the form of cryptostealers and deepfake videos.
This is what cybersecurity firm ESET says in its recent Threat Report, which summarizes threat landscape trends seen in ESET telemetry and ESET expert observations, covering the period from December 2023 to May 2024.
More specifically, infostealing malware can now impersonate creative AI tools, and new mobile malware GoldPickaxe is capable of stealing facial recognition data to create deepfake videos used to authenticate fake financial transactions.
Video games and cheat tools used in multiplayer online games have recently been found to contain infostealer malware, such as RedLine Stealer, which was detected in the first half of 2024 by ESET telemetry.
The GoldPickaxe malware, with versions for Android and iOS, has targeted victims in Southeast Asia through localized malware. As ESET researchers studied this malware family, they discovered that an older member of the GoldPickaxe family for Android, called GoldDiggerPlus, has also infiltrated Latin America and South Africa with many victims in those regions.
Emulates artificial intelligence tools
In recent months the Infostealing malware has also started impersonating artificial intelligence tools. In the first half of 2024, Rilide Stealer was spotted using the names of generative AI assistants, such as OpenAI’s Sora and Google’s Gemini, to lure potential victims. In another malicious campaign, infostealer Vidar lurked behind a purported Windows desktop app for the Midjourney AI image generator – even though Midjourney’s AI model is only accessible via Discord. As of 2023, ESET Research has observed more and more cybercriminals taking advantage of the popularity of artificial intelligence – a trend that is expected to continue.
Game enthusiasts who deviated from using legitimate and secure methods to access them have been attacked by infostealers as some cracked video games and cheat tools used in online multiplayer games have recently been found to contain infostealer malware such as Lumma Stealer and the RedLine Stealer.
RedLine Stealer was detected several times in the first half of 2024 by ESET telemetry, following campaigns in Spain, Japan and Germany. Its recent surges have been so significant that RedLine Stealer detections in the first half of 2024 exceeded those of the second half of 2023 by a third.
Vulnerabilities in WordPress plugins
Balada Injector, a notorious gang that exploits vulnerabilities in WordPress plugins, continued to run rampant in the first half of 2024, compromising over 20,000 websites and collecting over 400,000 detections from ESET telemetry. In the ransomware space, former top player LockBit was knocked off its pedestal by Operation Chronos, an operation conducted by international law enforcement in February 2024.
Although ESET telemetry recorded two significant LockBit campaigns in the first half of 2024, these were found to be due to gangs not using LockBit but using the leaked LockBit Builder
The ESET Threat Report includes information about the recently published investigation into the infamous Ebury group, its malware and botnet. Over the years, Ebury has been deployed as a backdoor to compromise nearly 400,000 Linux, FreeBSD, and OpenBSD servers—more than 100,000 were still at risk by the end of 2023.
