AI Cybercrime Service Bundles Phishing Kits with Malicious Apps

A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, enhancing their malware-as-a-service (MaaS) offerings.

Researcher has been tracking this e-crime actor since January 2023. They describe the crimeware solution as a “sophisticated AI-powered phishing-as-a-service platform” that targets users of more than 36 Spanish banks, government bodies, and 30 institutions worldwide.

The phishing kit alone costs between $150 and $900 a month. However, the bundle that includes the phishing kit and Android malware is available on a subscription basis for about $500 per month.

The campaign targets users of Spanish financial institutions, as well as tax and government services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. So far, 288 phishing domains linked to this activity have been identified.

In addition to phishing kits, the GXC Team offers stolen banking credentials and custom coding-for-hire services for other cybercriminal groups targeting banking, financial, and cryptocurrency businesses.

“Unlike typical phishing developers, the GXC Team combined phishing kits with an SMS OTP stealer malware, pivoting a typical phishing attack scenario in a slightly new direction,” said security researchers.

Instead of directly using a fake page to steal credentials, the threat actors urge victims to download an Android-based banking app to prevent phishing attacks. These pages are distributed via smishing and other methods.

Once installed, the app requests permissions to be configured as the default SMS app, allowing it to intercept one-time passwords (OTPs) and other messages and send them to a Telegram bot controlled by the attackers.

“In the final stage, the app opens a genuine bank’s website in WebView, allowing users to interact with it normally,” the researchers explained. “After that, whenever the attacker triggers the OTP prompt, the Android malware silently receives and forwards SMS messages with OTP codes to the Telegram chat controlled by the threat actor.”

Other services advertised by the threat actor on a dedicated Telegram channel include AI-infused voice calling tools. These tools allow customers to generate voice calls to prospective targets, using a series of prompts directly from the phishing kit.

These calls typically masquerade as originating from a bank, instructing victims to provide their two-factor authentication (2FA) codes, install malicious apps, or perform other arbitrary actions.

“This simple yet effective mechanism enhances the scam scenario, making it even more convincing to victims. It demonstrates how quickly AI tools are adopted by criminals, transforming traditional fraud scenarios into more sophisticated tactics,” the researchers noted.

In a recent report, Google-owned Mandiant revealed how AI-powered voice cloning can mimic human speech with “uncanny precision,” allowing for more authentic-sounding phishing (or vishing) schemes. These schemes facilitate initial access, privilege escalation, and lateral movement.

“Threat actors can impersonate executives, colleagues, or even IT support personnel to trick victims into revealing confidential information, granting remote access to systems, or transferring funds,” the threat intelligence firm said.

“The inherent trust associated with a familiar voice can be exploited to manipulate victims into taking actions they would not normally take, such as clicking on malicious links, downloading malware, or divulging sensitive data.”

Phishing kits with adversary-in-the-middle (AiTM) capabilities have become increasingly popular, lowering the technical barrier to executing phishing campaigns at scale.

Additionally, these AiTM phishing kits can break into accounts protected by passkeys on various online platforms through an authentication method redaction attack. This attack exploits the fact that these services still offer a less-secure authentication method as a fallback even when passkeys are configured.

“Since the AitM can manipulate the view presented to the user by modifying HTML, CSS, and images, or JavaScript in the login page, they can control the authentication flow and remove all references to passkey authentication,” said cybersecurity company.

The disclosure comes amid a recent surge in phishing campaigns embedding URLs encoded with security tools such as Secure Email Gateways (SEGs) to mask phishing links and evade scanning, according to Barracuda Networks and Cofense.

Social engineering attacks have also been observed using unusual methods. Users are enticed to visit seemingly legitimate-but-compromised websites and are then asked to manually copy, paste, and execute obfuscated code into a PowerShell terminal under the guise of fixing issues with viewing content in a web browser.

To defend against AI-powered phishing attacks and bundled malware, it is essential to adopt a comprehensive cybersecurity strategy. Regularly updating security software and applying patches to operating systems can help mitigate vulnerabilities. Organizations should conduct regular cybersecurity training sessions to educate employees on recognizing phishing attempts and the dangers of downloading apps from untrusted sources.

Additionally, deploying email filtering solutions and monitoring network traffic can help identify and block malicious activities before they cause significant damage.