Cybersecurity firm Group-IB has uncovered a sophisticated cybercrime operation targeting Spanish banking customers.
The criminal group GXC Team has been using AI-powered phishing tools and Android malware to steal sensitive banking information.
This article delves into the GXC Team’s operational methods, the unique characteristics of its malicious tools, its attack strategies, and its effective defense mechanisms against such threats.
Emergence of the GXC Team
The GXC Team first appeared on the radar in January 2023. They operate through private channels on Telegram and the underground forum Exploit.in. They specialize in developing and selling phishing kits, Android malware, and AI-powered scam tools.
Their primary targets were users of Spanish banks, but their reach extended to governmental bodies, e-commerce platforms, and cryptocurrency exchanges in the United States, United Kingdom, Slovakia, and Brazil.
A classic malware-as-a-service model is at the core of the GXC Team’s operations. They offered their phishing kits for prices ranging from $150 to $900, while a bundle including the phishing kit and Android malware cost approximately $500 per month, as report by Group-IB.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Customers were provided with fully set-up phishing resources, complete with domain names that typically impersonated bank domains.
The GXC Team also configured the necessary infrastructure, making executing their attacks easier for other threat actors.
Innovative Tools and Tactics
Phishing Kits and Android Malware
The GXC Team’s primary tools included custom phishing kits and Android malware. These phishing kits were designed for 36 banks in Spain and 30 other institutions worldwide.
The Android malware was disguised as a banking application and was particularly effective at intercepting One-Time Password (OTP) codes sent from legitimate banks.
One of the most notable features of the GXC Team’s tools was the bundling of phishing kits with SMS OTP stealer malware.
This combination allowed the attackers to prompt victims to download and install a banking application to prevent a “phishing attempt.”
Once installed, the application requested permissions to manipulate SMS, enabling the attackers to forward SMS from the victim’s device to a Telegram bot controlled by the GXC Team.
AI-Powered Voice Caller Feature
The GXC Team also integrated an AI-powered voice caller feature into their phishing kits. This feature enabled other threat actors to generate voice calls to victims, instructing them to provide their two-factor authentication (2FA) codes or install apps disguised as malware.
This innovative use of AI made the scam scenarios even more convincing and demonstrated how rapidly criminals adopt and implement AI tools in their schemes.
Attack Scenarios
Phishing Path
The attack typically began with the victim receiving a phishing lure via smishing (SMS phishing). The victim was directed to a phishing website where they were asked to provide initial credentials, such as their Spanish Tax Identification Number (NIF) and login details.
The threat actor received a notification in the admin panel or Telegram chat about the victim’s visit to the phishing website.
The attacker could request further personal information, such as a photo of an identity document (DNI), physical address, email address, phone number, and SMS OTP code.
This data appeared in the phishing kit admin panel or was sent to the Telegram chat controlled by the threat actor.
Android Malware Path
For some financial institutions, the phishing page deceived victims into downloading and installing a purported Android banking application.
Tragically, the victims were downloading malware designed to steal SMS OTPs. The malicious APK pretended to be a legitimate bank app, using a genuine logo and styles.
Upon installing the app, the victim was presented with a page asking permission to manipulate SMS. Once the app was the default SMS app, it could read, forward, and delete messages.
The app then opened a genuine bank’s website, allowing users to interact with it usually. Whenever the attacker triggered the OTP prompt, the Android malware silently received and forwarded SMS messages with OTP codes to the Telegram chat controlled by the threat actor.
GXC Android Malware Analysis
The GXC Team’s Android malware was primarily an SMS stealer type. Its core functionality was to receive SMS messages containing OTP login codes for bank logins and send them to a threat actor-controlled Telegram chat.
The malware requested specific permissions, such as READ_SMS and RECEIVE_SMS, and collected victim device information, including device hardware identifiers, IP addresses, and phone numbers.
To protect against such sophisticated attacks, users and financial institutions should adopt the following defense strategies:
- Multi-Factor Authentication (MFA): Use MFA methods that do not rely solely on SMS-based OTPs.
- Security Awareness Training: Educate users about phishing tactics and how to recognize suspicious messages and websites.
- Regular Software Updates: Ensure all devices and applications are regularly updated to patch vulnerabilities.
- Advanced Threat Detection: Implement advanced threat detection systems to identify and block phishing attempts and malware.
- Secure Communication Channels: Use secure communication channels for sensitive transactions and avoid sharing personal information over SMS or email.
The discovery of the GXC Team reveals an emerging cyber threat aimed specifically at Spanish banking customers. Their innovative combination of phishing kits, Android OTP stealer malware, and AI-powered voice calls make them a significant threat to the region.
As cybercriminals evolve their tactics, users and financial institutions must stay vigilant and adopt robust security measures to protect against such sophisticated attacks.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo