Report: Infostealers using AI & banking malware

News Desk -

Share

ESET has released its latest Threat Report, summarizing the threat landscape trends observed in ESET telemetry and from the perspective of ESET experts between December 2023 and May 2024. The past six months have revealed a dynamic landscape of Android financial threats and mobile banking malware, including cryptostealers and advanced infostealers impersonating generative AI tools.

Key findings include infostealers now masquerading as popular generative AI tools such as Midjourney, Sora, and Gemini. New mobile malware, GoldPickaxe, is capable of stealing facial recognition data to create deepfake videos used to authenticate fraudulent financial transactions. RedLine Stealer saw several detection spikes in ESET H1 2024 telemetry, particularly in Spain, Japan, and Germany. Balada Injector, notorious for exploiting WordPress plugin vulnerabilities, compromised over 20,000 websites, with ESET detecting 400,000 hits in the first half of 2024.

GoldPickaxe malware, with both Android and iOS versions, has targeted victims in Southeast Asia through localized malicious apps. ESET researchers found that an older version, GoldDiggerPlus, has spread to Latin America and South Africa. Infostealing malware has begun using the names of generative AI assistants like OpenAI’s Sora and Google’s Gemini to lure victims. Vidar infostealer was found behind a supposed Windows desktop app for the AI image generator Midjourney, even though Midjourney’s model is only accessible via Discord.

Gamers using cracked video games and cheating tools have been targeted by infostealers like Lumma Stealer and RedLine Stealer. RedLine Stealer’s recent detection spikes, notably in Spain, Japan, and Germany, surpassed its H2 2023 activity by a third. The Balada Injector gang continued its attacks in the first half of 2024, exploiting WordPress plugin vulnerabilities. ESET telemetry recorded over 400,000 hits for Balada Injector variants, compromising more than 20,000 websites.

Operation Chronos, a global disruption conducted by law enforcement in February 2024, knocked former ransomware leader LockBit off its pedestal. Although ESET recorded two notable LockBit campaigns in H1 2024, these were due to non-LockBit gangs using the leaked LockBit builder. ESET’s report includes a deep-dive investigation into the Ebury group, responsible for one of the most advanced server-side malware campaigns. Over the years, Ebury has compromised almost 400,000 Linux, FreeBSD, and OpenBSD servers, with over 100,000 still compromised as of late 2023.


Leave a reply