ESET Threat Report: Infostealers Leveraging AI and Banking Malware Utilizing Deepfake Videos for Financial Theft

Over the past six months, the landscape of Android financial threats has evolved dynamically, with malware increasingly targeting victims' mobile banking funds. This includes both traditional banking malware and newer threats like cryptostealers. Infostealing malware has also become more sophisticated, now impersonating generative AI tools. Notably, new mobile malware such as GoldPickaxe is capable of stealing facial recognition data to create deepfake videos, which the malware operators use to authenticate fraudulent financial transactions. Additionally, video games and cheating tools for online multiplayer games have been found to harbor infostealer malware, like the RedLine Stealer, which saw several detection spikes in the first half of 2024 according to ESET telemetry.

"GoldPickaxe has both Android and iOS versions and has been targeting victims in Southeast Asia through localized malicious apps. ESET researchers, while investigating this malware family, discovered that an older Android sibling of GoldPickaxe, called GoldDiggerPlus, has also tunneled its way to Latin America and South Africa, actively targeting victims in these regions," explains Jiří Kropáč, Director of ESET Threat Detection.

In recent months, infostealing malware has increasingly utilized the impersonation of generative AI tools. For instance, in the first half of 2024, Rilide Stealer was found misusing the names of generative AI assistants, such as OpenAI’s Sora and Google’s Gemini, to lure potential victims. In another malicious campaign, the Vidar infostealer was discovered hiding behind a supposed Windows desktop app for the AI image generator Midjourney, despite Midjourney’s AI model being accessible only via Discord. Since 2023, ESET Research has seen a growing trend of cybercriminals abusing the AI theme, which is expected to continue.

Gaming enthusiasts who ventured outside the official gaming ecosystem were attacked by infostealers. Some cracked video games and cheating tools for online multiplayer games were recently found to contain malware like Lumma Stealer and RedLine Stealer. RedLine Stealer experienced several detection spikes in H1 2024, driven by campaigns in Spain, Japan, and Germany. These recent waves were so significant that RedLine Stealer detections in H1 2024 surpassed those from H2 2023 by a third.

The Balada Injector gang, notorious for exploiting WordPress plugin vulnerabilities, continued its rampant activity in the first half of 2024. They compromised over 20,000 websites and generated over 400,000 hits in ESET telemetry for the variants used in their recent campaigns. On the ransomware front, the former leading player LockBit was disrupted by Operation Chronos, a global law enforcement operation conducted in February 2024. Although ESET telemetry recorded two notable LockBit campaigns in H1 2024, these were found to be the work of non-LockBit gangs using the leaked LockBit builder.

The ESET Threat Report also includes a deep-dive investigation into one of the most advanced server-side malware campaigns, orchestrated by the Ebury group. This group has been deploying Ebury as a backdoor to compromise nearly 400,000 Linux, FreeBSD, and OpenBSD servers over the years. As of late 2023, more than 100,000 servers remain compromised, highlighting the persistent and widespread nature of this threat. This investigation underscores the sophistication of the Ebury group's operations and the significant impact they continue to have on server security globally.