SecureThinkLab
Consulthink S.p.A. Business UnitSecureThinkLab
Consulthink S.p.A. Business UnitMarch 14, 2025 • 18 min read • Malware
GodFather Android Malware Analysis
GodFather is an Android malware that was first identified in mid 2023 and quickly attracted the attention of security experts because of its advanced capabilities and modular structure. Its design highlights a significant evolution from its predecessors, exploiting sophisticated techniques to circumvent security measures and infect Android devices.In this article, we will explore how this version of the malware communicates with the C2 server, a critical component that allows attackers to manage the malware in real time and receive stolen data....
May 6, 2024 • 6 min read • macOS
CVE-2024-34456: Trend Micro Antivirus One Dylib Injection
During a red teaming activity, we gained access to a company MacBook; the Trend Micro Antivirus One software was running and prevented us from running our tools without being detected.So, I analyzed the software and found a misconfiguration that allow to inject a custom dylib into the application process.The CVE202434456 has been assigned to this issue, affecting Trend Micro Antivirus One version 3.10.3 and below. I reported it on February 6, 2024, and according to Trend Micro, following its resolution, the public disclosure was scheduled for today, May 6, 2024....
April 19, 2024 • 12 min read • malwares
Gold Pickaxe iOS Technical Analysis: IPA Overview and C2 Communication Startup
In February 2024 GroupIB wrote a blog post about a mobile Trojan developed by a Chinesespeaking cybercrimine group called Gold Pickaxe.This malware targets both iOS and Android users in the Asia Pacific region in order to collect identity documents, SMS, pictures and other data related to the compromised phones.The malware communicates with the C2 using two protocolsThe websocket protocol used to listen for incoming commands The HTTP protocol used to send information and data to the C2 In this article we are going to analyse the IPA file, and then describe how the malware connects to the C2 websocket server....