Full Report
Your phone number is more than just a way to contact you – scammers can use it to target you with malicious messages and even exploit it to gain access to your bank account or steal corporate data
Analysis Summary
# Tool/Technique: GoldPickaxe Malware (iOS Iteration)
## Overview
An iteration of the GoldPickaxe malware specifically targeting iOS devices. It employs a multi-stage social engineering scheme designed to trick victims into installing a Mobile Device Management (MDM) profile, which grants threat actors complete control over the compromised phone.
## Technical Details
- Type: Malware Family (iOS variant)
- Platform: iOS
- Capabilities: Installation of MDM profile, device control, potential data exfiltration, social engineering delivery.
- First Seen: Mentioned in ESET Threat Report H1 2024 (implies activity within that timeframe).
## MITRE ATT&CK Mapping
The techniques specifically mentioned or strongly implied by the description relate to gaining initial access via social engineering and taking control of the device management:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (If a malicious link/payload is attached to a message)
- T1566.002 - Spearphishing Link (If the social engineering directs users to a malicious site to install the MDM)
- **TA0005 - Defense Evasion**
- T1202 - Modify System Image (Installing an MDM profile effectively modifies device administrative settings)
- **TA0003 - Persistence**
- T1545.006 - Create or Modify System Process (If the MDM profile establishes persistent control)
*(Note: Precise T-numbers for MDM deployment and device control on iOS are often mapped to general persistence/defense evasion categories as Apple's ecosystem restricts traditional file-system manipulation.)*
## Functionality
### Core Capabilities
- Execution of a multi-stage social engineering campaign delivered via messages (Smishing).
- Persuading victims to willingly install an MDM profile on their iOS devices.
### Advanced Features
- Achieving **complete control over the victim’s phone** via the installed MDM profile, allowing for monitoring, configuration changes, or data access.
- Leveraging social manipulation to circumvent standard security warnings associated with installing unapproved profiles.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context]
- Registry Keys: [Not applicable to iOS MDM installation context]
- Network Indicators: [C2 infrastructure related to MDM provisioning or data exfiltration is implied but not listed]
- Behavioral Indicators: User installing a configuration profile flagged as an MDM profile from a non-trusted source, often following a fraudulent message.
## Associated Threat Actors
- [Threat actors leveraging the GoldPickaxe malware family, often associated with organized cybercriminal syndicates.]
## Detection Methods
- Signature-based detection: [Not specified for the specific delivery mechanism, but signatures against the final payload/MDM profile components might exist.]
- Behavioral detection: Monitoring for requests or successful installations of unauthorized MDM configurations on iOS devices.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- **Validate:** Never trust unsolicited requests for personal data, even if delivered via SMS or perceived to be from a "trusted" entity; verify requests through official channels.
- **Minding Public Exposure:** Limiting the personal data shared online, as attackers use this information to build convincing social engineering lures.
- **Forget SMS for 2FA:** Protect sensitive accounts with app-based two-factor authentication (2FA) instead of SMS-based 2FA, as SMS vectors are easily intercepted.
- **Use Mobile Security:** Employing strong mobile security software (for individuals) or Mobile Threat Defense (MTD) solutions (for businesses).
## Related Tools/Techniques
- Smishing (SMS Phishing)
- General Phishing campaigns leveraging social engineering.
- Other malware focusing on installing MDM profiles onto mobile devices (e.g., banking trojans employing MDM profiles).