Full Report
Malicious use of AI is reshaping the fraud landscape, creating major new risks for businesses
Analysis Summary
# Tool/Technique: GoldPickaxe Malware
## Overview
GoldPickaxe is a sophisticated piece of malware specifically designed to harvest facial recognition data from infected systems. This harvested data is then used to create deepfake videos, likely for the purpose of bypassing biometric authentication checks for account creation or logging into sensitive systems.
## Technical Details
- Type: Malware
- Platform: Not explicitly stated, but inferred to target platforms that support facial recognition for authentication (e.g., mobile devices, modern operating systems).
- Capabilities: Harvests facial recognition data, used to generate deepfake videos for authentication bypass.
- First Seen: Mentioned in reports from H1 2024 (based on the ESET report reference).
## MITRE ATT&CK Mapping
The activities described are currently related to impersonation and authentication compromise.
- T1484 - Stored Data Modification
- T1484.001 - Data Destruction (If facial templates are deleted/replaced, though data harvesting is the primary goal)
- T1555 - Credentials from Password Stores (If biometric hashes/templates are treated as stored credentials)
- T1666 - Impersonation (The goal is to impersonate a legitimate user/customer)
## Functionality
### Core Capabilities
- Data exfiltration focused specifically on biometric templates or facial recognition data necessary for creating convincing deepfakes.
### Advanced Features
- Integration with deepfake generation techniques to turn harvested biometric data into usable deepfake videos for bypassing MFA/authentication protocols, specifically noted in attacks against legitimate customers.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators: [Not provided in the text]
- Behavioral Indicators: Presence of processes attempting to access or export biometric data stores or security camera feeds to capture live or pre-recorded facial data.
## Associated Threat Actors
- Not explicitly named, but associated with broader threats targeting digital account openings and KYC/authentication bypass.
## Detection Methods
- Signature-based detection: Requires up-to-date signatures targeting the malware binaries.
- Behavioral detection: Monitoring for unauthorized access or unusual dumping of system folders containing biometric data used for authentication services.
- YARA rules if available: [Not provided in the text]
## Mitigation Strategies
- **People/Process:** Enhanced vetting beyond simple captured footage for KYC/Account Opening, employing advanced liveness detection checks during authentication.
- **Technology:** Utilizing advanced anti-fraud tools capable of detecting deepfakes during authentication (AI-powered deepfake detection).
- Implement multifactor authentication (MFA) for all sensitive corporate accounts, although the success of GoldPickaxe implies MFA systems relying solely on facial recognition may be targeted.
## Related Tools/Techniques
- Deepfake Audio/Video Generation (General application for BEC and impersonation)
- PassGAN (AI tool used for password cracking, representing another facet of AI-enabled credential compromise)
***
# Tool/Technique: PassGAN
## Overview
PassGAN is an AI algorithm designed specifically for generating passwords. Its capability lies in rapidly cracking passwords through artificial intelligence modeling, drastically reducing the time required compared to traditional brute-force methods.
## Technical Details
- Type: Tool/Algorithm
- Platform: Not explicitly stated, likely usable in environments where password cracking tools can be deployed.
- Capabilities: Rapidly cracks passwords using AI algorithms. Reportedly capable of cracking passwords in **less than half a minute**.
- First Seen: Contextually related to recent AI threats (H2 2024 Threat Report mentioned).
## MITRE ATT&CK Mapping
- T1110 - Brute Force
- T1110.003 - Password Guessing (AI leveraging statistical knowledge for faster guessing)
## Functionality
### Core Capabilities
- Accelerating password cracking using ML/AI.
### Advanced Features
- High speed achievement: Capable of cracking credentials significantly faster than legacy cracking tools.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators: High volume of connection attempts or local processes consuming resources for password testing.
- Behavioral Indicators: Suspicious utilization of local compute resources for heavy computational password testing tasks.
## Associated Threat Actors
- Not explicitly named, but implied to be used by threat actors leveraging AI for data theft and ransomware enablement.
## Detection Methods
- Signature-based detection: [Not provided in the text]
- Behavioral detection: Monitoring for processes exhibiting characteristics of high-speed, systematic password guessing against local or network resources.
- YARA rules if available: [Not provided in the text]
## Mitigation Strategies
- Enforcing strong, complex password policies.
- Implementing account lockout / rate-limiting policies.
- Utilizing MFA widely to render cracked passwords ineffective on their own.
## Related Tools/Techniques
- AI algorithms used for password cracking simulation.
- General password cracking utilities.