Ankura CTIX FLASH Update - February 16, 2024

Ransomware/Malware Activity

GoldPickaxe Trojan Leveraged as Facial Recognition Stealer for Future Attacks

A new trojan for iOS and Android has been discovered that uses its capabilities to scan the victim's face for apparent use in future deepfakes. The trojan, named "GoldPickaxe", is the latest strain of malware developed by the Chinese threat actor group "GoldFactory", seen targeting users in Southeast Asia. Victims are initially contacted via the LINE instant messaging application by threat actors pretending to be from their respective government. The threat actor then attempts to convince the victim to download a fake pension application from a webpage designed to impersonate the Google Play Store. For iOS users, the threat actor takes a more roundabout approach, attempting to get the user to download a Mobile Device Management (MDM) profile that then downloads the application from a website. This method allows the threat actor to have a great deal of access to the device as MDMs give them a myriad of abilities to utilize, including application management. Once installed, the malware has the ability to contact threat actor-controlled command-and-control (C2) servers, scrape system information from the device, exfiltrate recent photos, and more. GoldPickaxe also requests the user to take a video of their face so they can complete their online bank profile for either a banking institution or a government pension system. It is believed that this is a direct response to financial institutions leveraging biometric safeguards on currency transfers over certain limits. The stolen photos and use of a facial video would allow threat actors to use modern AI technology to create deepfakes of the individual they are attempting to transfer money from. This sophisticated phishing technique allows the threat actor to associate bank accounts or pension numbers with the individual through scraped information and then steal the money using intercepted information and deepfake videos. CTIX analysts will continue to monitor the use of stolen biometric information to create deepfakes for scams and security bypasses as the technology continues to evolve.

Bleeping Computer: GoldPickaxe.iOS Article
• Group-IB: GoldPickaxe.iOS Blog

Threat Actor Activity

Black Basta Claims Cyberattack on Willis Lease Finance Corporation

Willis Lease Finance Corporation (WLFC) has recently filed a Form 8-K filing with the Securities and Exchange Commission (SEC) after falling prey to a cybersecurity incident they flagged on January 31, 2024, when unauthorized activity was first detected on portions of their system. WLFC is an engine and aircraft-parts dealer and service provider to major airlines. According to the company, the incident was fully contained on February 2nd and no unauthorized activity has since been detected. While WLFC officials have stated that they're still working on the scope of the breach and whether any data was stolen and/or compromised, the Black Basta ransomware group claimed responsibility for the attack on February 9th, adding the company to their leak site. The threat actor claims to have stolen upwards of 900 GB of sensitive company information, including confidential documents, non-disclosure agreements (NDAs), employee and customer information, shared folders, and more. Sample documents posted online by the ransomware gang includes leasing agreements between WLFC and various major airlines, along with SSNs and passport scans belonging to what appears to be company staff. WLFC took steps to contain, assess, and remediate the initial activity, including taking some systems offline. CTIX analysts will continue to monitor the operations of both state-sponsored and financially-motivated threat actors alike.

The Register: Black Basta Article
• Security Week: Black Basta Article

Vulnerabilities

Critical Outlook Vulnerability Exploited to Conduct RCE

A critical security vulnerability in Microsoft Outlook, identified as CVE-2024-21413, allows remote unauthenticated attackers to perform remote code execution (RCE) attacks by exploiting a flaw that also bypasses Office Protected View. This vulnerability, which affects various Microsoft Office products, can be exploited by simply opening or previewing malicious emails containing specially crafted links, without any need for user interaction. The exploit involves a technique dubbed "Moniker Link" by Check Point, leveraging the "file://" protocol and an exclamation mark in URLs to bypass Outlook's security measures, leading to potential theft of NTLM credentials and arbitrary code execution. Despite initial claims of active exploitation, Microsoft later corrected this assertion. The issue, rooted in the MkParseDisplayName API and potentially impacting software beyond Outlook, underscores a long-standing vulnerability in the Windows/COM ecosystem. Microsoft and Check Point urge users to apply the provided patch promptly to mitigate risks associated with this significant security flaw.

Bleeping Computer: CVE-2024-21413 Article
• Checkpoint Research: CVE-2024-21413 Report

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.