According to ESET, the past six months have seen a significant increase in Android financial threats, whether in the form of traditional banking malware or, more recently, cryptostealers, malware that targets victims' mobile banking funds.
Vidar information thieves target Windows users
We are seeing information stealing malware masquerading as generative AI tools, with new mobile malware GoldPickaxe able to steal facial recognition data and create deepfake videos that malware operators use to authenticate fraudulent financial transactions. Video games and cheating tools used in online multiplayer games have recently been found to contain information stealing malware such as RedLine Stealer, which saw a sharp increase in detections in the first half of 2024 in ESET telemetry.
“GoldPickaxe is available for both Android and iOS and targets victims in Southeast Asia through localized malicious apps. When ESET researchers investigated this malware family, they found that GoldPickaxe's older Android version, GoldDiggerPlus, was also actively targeting victims in Latin America and South Africa, making inroads in those regions,” explains Jiří Kropáč, Director of Threat Detection at ESET.
In recent months, information stealing malware has also begun to use generative AI tool spoofing: In the first half of 2024, Rilide Stealer was seen abusing the names of generative AI assistants such as OpenAI's Sora and Google's Gemini to lure potential victims.
In another malicious campaign, the Vidar infostealer was hiding behind a purported Windows desktop app for AI image generator Midjourney, although Midjourney's AI models were only accessible via Discord. Since 2023, ESET research has seen cybercriminals increasingly exploit AI themes, a trend that is expected to continue.
Law enforcement shuts down LockBit
Gamers outside of the official gaming ecosystem have come under attack by infostealers, as some cracked video games and cheating tools used in online multiplayer games have recently been found to contain infostealer malware, such as Lumma Stealer and RedLine Stealer.
RedLine Stealer recorded several spikes in detections in ESET telemetry in the first half of 2024, driven by campaigns in Spain, Japan and Germany. The most recent wave was so large that RedLine Stealer detections in the first half of 2024 exceeded those in the second half of 2023 by a third.
Balada Injector, notorious for exploiting vulnerabilities in WordPress plugins, continued to wreak havoc in the first half of 2024, compromising more than 20,000 websites and recording more than 400,000 hits in ESET telemetry for variants used in the group's recent attacks.
In the world of ransomware, LockBit, once a leader, was dethroned by a global disruption operation called Operation Chronos, conducted by law enforcement agencies in February 2024. ESET telemetry recorded two notable LockBit campaigns in the first half of 2024, but these were found to be the work of non-LockBit gangs using leaked LockBit builders.
