News Heading

Google Cloud Run Exploited by Hackers to Distribute Banking Trojans

Reading time: 2 min

In a massive malware distribution campaign, hackers have been exploiting Google Cloud Run service to deploy several banking trojans like Astaroth, Mekotio, and Ousaban.

Google’s Cloud Run service allows developers to build and deploy web applications and websites without the need to manage or scale an infrastructure.

Security researchers at Cisco Talos observed a surge in this malware campaign since September 2023, when trojan loaded emails sent from Brazil were using malicious Microsoft Installers (MSIs) to distribute the malware.

The report believes that Google Cloud Run gained prominence as a distribution tool among hackers as it’s inexpensive and has the ability to bypass various security systems.

The infection chain which starts with legitimate looking phishing emails are generally related to invoices, financial documents, or messages from local government or tax agencies.

Since the campaign is mainly LATAM-focused, the majority of emails are in Spanish. In one instance, the researchers found an email impersonating the Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina.

Nevertheless, the campaign is believed to be targeting victims in Europe and North America as well, as few instances were found where Italian was also used in the phishing emails.

The emails containing the malicious links redirect victims to a threat actor hosted web service on Google Cloud Run or end up downloading a malicious MSI installer.

The Talos researchers further explained that cases were seen where a single Google Cloud Storage Bucket was used to distribute multiple malwares. This signifies either a collaboration between the different malware families or a single hacker-controlled malwares.

The Google Cloud Run malware campaign mainly involves three malwares, i.e., Astaroth/Guildma, Mekotio, and Ousaban. ‘’Each is designed to infiltrate systems stealthily, establish persistence, and exfiltrate sensitive financial data that can be used for taking over banking accounts,’’ Talos revealed.

Nevertheless, of the three, Astaroth is considered the most dangerous, as it targets more than 300 institutions across 15 Latin American countries. Moreover, it was also observed collecting a variety of credentials related to cryptocurrency and bitcoin accounts.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...