DNS Early Detection – Breaking the GoldFamily Kill Chain

DNS Early Detection - GoldFamily Malware Uses Deep Fake AI Photos to Breach Bank Accounts

Cybersecurity researchers have discovered activity by a new group of dangerous trojans called GoldPickaxe, an evolution of the previously identified GoldDigger trojan. In this analysis, we refer to this group as GoldFamily. GoldFamily specifically targets iPhone and iPad users to steal facial recognition data and gain access to their bank accounts. The use of AI by GoldFamily makes it particularly dangerous as it can successfully attack authentication processes, such as certain types of biometrics, that were previously considered secure.

To defend against these threats, it's important to identify and block them as early as possible in the attack cycle. Infoblox's DNS Early Detection Program uses proprietary techniques to identify potentially malicious domains quickly. We can detect these malicious domains early, long before they are available in Open Source Intelligence (OSINT) or commercial feeds as malicious. We flag these domains as suspicious at the earliest stage and make them available for immediate blocking. By taking this proactive approach, defenders can stop attacks days, weeks, or even months before they appear in OSINT or threat intelligence feeds.

Threat actors continually adjust their techniques and often use malicious domains to launch damaging and dangerous attacks quickly. Once that link to a malicious domain is clicked, the Kill Chain can rapidly unfold to the detriment of the defenders. These malicious domains are often detected and shared too late by OSINT and threat intel feeds.

Our DNS Early Detection Program identifies and analyzes potentially harmful domains and cross-references our findings with public Open Source Intelligence (OSINT) data and commercial threat intelligence feeds. In this blog post, we delve into our analysis of domains flagged as malicious in OSINT, providing numerous instances of our proactive identification of these domains as suspicious.

GoldFamily: Android and iOS Malware Swaps Faces to Fool Biometrics

GoldFamily includes a variant of an Android trojan called GoldDigger, initially discovered in October 2023. The threat actors behind GoldFamily leverage social engineering tactics to lure victims into scanning their faces. They then convince the victims to provide highly confidential identification documents. The targeted victims are phished via email, SMS smishing, or messages on platforms such as the LINE app. The messages seem to be well-written and convincingly impersonate government services and authorities.

GoldFamily has been designed to target both Android and iOS users. Android victims are manipulated to install the malicious app directly. iOS users are instead directed to install a disguised Mobile Device Management (MDM) profile. MDM, of course, allows remote device configuration, which enables the threat actors to install malicious applications. In the case of iOS (iPhone) users, the threat actors direct them to a TestFlight URL to install a malicious app.

Once installed, GoldFamily operates to capture facial data, intercept incoming SMS messages, request and capture images of ID cards and other sensitive authentication data, and then acts as a network traffic proxy using a tool called MicroSocks.

On iOS devices, the malware uses a web socket channel to communicate with the command and control (C2) server. Available communications enabled include a heartbeat function to ping the C2 server, an init function that sends device information to the C2, a face photo request to the victim, a false device in use message displayed to prevent interruptions, an album command to sync the photo library date and then exfiltrate to a cloud bucket, and finally, a destroy command to stop the trojan.

Cyber threat actors and their malware tools have always provided growing challenges to cybersecurity defense teams. GoldFamily's use of AI to create and deploy deep fake authentication imagery is a giant leap forward for threat actors and the increasing sophistication of the available tools.

Analysis and Methodology

Multiple OSINT publication sources released disclosures on GoldFamily on February 15 and 16, 2024. Detailed links are provided at the end of this article. Additional domains were published on/about February 20, 2024.

Infoblox extracted malicious domains identified within these OSINT sources. The Infoblox team then analyzed the identified malicious domains to determine whether they had been identified earlier by our suspicious domain feeds.

Our team researched each malicious domain identified in OSINT in the Infoblox Dossier portal. We reviewed our timeline feature to extract the earliest dates associated with Infoblox's suspicious designation. We also extracted the WHOIS information for additional context.

Further, our research efforts have also been highly successful in pursuing GoldFamily. These efforts yielded additional suspicious domains many months ahead of those published in OSINT in February. We identified multiple suspicious domains not found in OSINT sources, which we attributed to GoldFamily activity and designated as IoCs.

The GoldFamily threat has been active long before the release of the OSINT data. Our very early identification of these domains has provided compelling timeline data. Our team found that, in many cases, the threat actors were already ramping up activity shortly after our suspicious designations and long before visibility to the public at large via OSINT availability.

Despite the successful early identification of GoldFamily activity using malicious domains, we remain concerned that the campaign could expand. Some of the queries we found within our cloud data came from financial institutions. At this time, it is possible that these threat actors are now targeting financial institutions across a broader geography, not just in Thailand and Vietnam. Continued vigilance is still required moving forward.

The conclusions of our analysis illustrate the potential benefits of suspicious domain feeds:

• 70.83% of the GoldFamily domains were identified as suspicious by Infoblox an average of 197.7 days (6.5 months) before the OSINT designation as malicious became available.
• Our DNS early detection program identifies suspicious domains weeks to months, as in this case, ahead of OSINT identification as malicious.
• There is often an extended period of time from availability via OSINT to utilization by your cybersecurity ecosystem and defense-in-depth strategy. Infoblox designation of suspicious domains can link to automation to block them immediately.
• In context, 64.71% of the GoldFamily domains were blocked as suspicious within 2 to 3 days after the WHOIS domain registration date.

OSINT publication dates may sometimes be unclear or lack precision. The dates of published articles by reputable 3rd parties may not always accurately reflect the OSINT availability of each domain. The critical point is that even if you have the OSINT data, it must propagate through the threat feeds you use and your cybersecurity ecosystem to support actionable policies. All of that is automated with Infoblox DNS Detection and Response (DNSDR) and our suspicious domain data.

Comparison to WHOIS Data

OSINT data release dates can always be debated. There is always a source you might have missed. But so did all of the vulnerable users out there!

WHOIS data draws a line in the sand and gets you as close as possible to hard data. A comparison with WHOIS data tells you how your threat intelligence systems are working. To provide context on the performance of our suspicious threat intel feeds, we extracted WHOIS dates and found that 64.71% of the GoldFamily domains were blocked as suspicious within 2 to 3 days after the WHOIS domain registration date. The WHOIS dates are relatively precise and provide another perspective on the high value and relative performance of suspicious DNS threat intel feed content.

The threat actors behind most campaigns have learned to continually create and change the domains they use to camouflage their malicious activities. Any of the key domains used in perpetuating the GoldFamily campaigns may be shut down at any time and replaced with new infrastructure. Infoblox Early DNS Detection threat intel brings tangible advantages to your organization.

The Need for Speed

Infoblox DNS Early Detection using our suspicious feeds can help your SOC move faster to identify and block potentially dangerous threats such as GoldFamily. Infoblox Threat Intel proprietary technology can detect suspicious domains faster than the industry's current methods.

Suspicious domain feeds provide a significant advantage in developing and using DNS threat intelligence information. With Infoblox's suspicious domain data, security operations teams can get the timely information they need to prevent and counter new threats before they do any damage.

For Additional Information

The Infoblox Threat Intel Group provides fast access to accurate, contextual threat alerts and reports from our real-time research teams. Suspicious Domains feeds were introduced as an Infoblox proprietary product on November 10, 2022, and, since then, have successfully provided many thousands of customers with the advanced information to block domains that ultimately become malicious long before most other threat intelligence sources identify them as malicious. Infoblox allows your team to leverage the high value of suspicious domain threat intelligence while ensuring a unified security policy across your entire security infrastructure. Infoblox threat data minimizes false positives, so you can be confident in what you are blocking.

Footnotes

1. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Cyber Kill Chain is a registered trademark of Lockheed Martin.