Threat Research

“Revealing the Connection Between Golddigger and Gigabud Android Malware”

Cyble

Cyble’s analysis links a surge in Gigabud variants since July 2024 to sophisticated phishing campaigns that masquerade as genuine airline apps and clone the Google Play Store to distribute the malware. The findings indicate a connection between Gigabud and Golddigger, suggesting the same threat actor and coordinated campaign across multiple regions. #Gigabud #Golddigger

Keypoints

  • Notable uptick in Gigabud detections beginning in July 2024, signaling expanded distribution and impact.
  • Phishing campaigns disguise malicious apps as legitimate airline apps and leverage fake Google Play Store clones to mislead users.
  • Targets extend across Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia, broadening the attacker’s reach.
  • Strong similarities between Golddigger and Gigabud suggest a shared threat actor and common origin.
  • Latest Gigabud variants incorporate over 30 API endpoints, increasing feature support and functionality.
  • Phishing sites impersonate airlines (e.g., South African Airways, Ethiopian Airlines) and bank/government apps (e.g., HeyBanco, M-Pajak).
  • New samples use Virbox packer for evasion and reveal overlapping code/libs with Golddigger, including shared libraries like libstrategy.so.

MITRE Techniques

  • [T1655.001] Masquerading: Match Legitimate Name or Location – “Malware masquerading legitimate entities.”
  • [T1624.001] Event-Triggered Execution: Broadcast Receivers – “Malware has implemented a broadcast receiver to monitor screen actions.”
  • [T1426] System Information Discovery – “The malware collects basic device information.”
  • [T1420] File and Directory Discovery – “Malware collects files from external storage.”
  • [T1628.001] Hide Artifacts: Suppress Application Icon – “Malware can hide icon.”
  • [T1636.003] Protected User Data: Contact List – “The malware collects contacts from the infected device.”
  • [T1636.004] Protected User Data: SMS Messages – “Steals SMS messages from the infected device.”
  • [T1517] Access Notifications – “Malware monitors notifications.”
  • [T1417.001] Input Capture: Keylogging – “Malware steals credentials using keylogging.”
  • [T1513] Screen Capture – “Malware can record the screen.”
  • [T1437.001] Application Layer Protocol: Web Protocols – “Malware uses HTTPS protocol for C2 communication.”
  • [T1646] Exfiltration Over C2 Channel – “Sending exfiltrated data over Command and Control server.”

Indicators of Compromise

  • [Hash] Gigabud unpacked sample – d19a134f8e4961ec53e53fc21b3606063d821579ef4427ddaac011c7624b0af4, 327c041ba063d32e7378483aa7ebdf73ea6787db, 4d1d13cb7ce979cdb3a22838c8885794
  • [Hash] Packed Gigabud sample – b700cee5e89305186b65a7c42c545263b3c11587ac1feb91fc3747353bde59e9, 2337bf80e136ee99ee59096081d7a937fd79adc3, 853c98feaec405722c8353ff2d697f9e
  • [Domain] C2 server – rpc.nafe3[.]xyz
  • [URL] Phishing URLs – hxxps://airways.ajgo[.]cc/, hxxps://ethiopian[.]zkgo.cc (and 1 more item)

Read more: https://cyble.com/blog/unmasking-the-overlap-between-golddigger-and-gigabud-android-malware/