Google Cloud Run Exploited by Hackers to Distribute Banking Trojans

In a massive malware distribution campaign, hackers have been exploiting Google Cloud Run service to deploy several banking trojans like Astaroth, Mekotio, and Ousaban.

Google’s Cloud Run service allows developers to build and deploy web applications and websites without the need to manage or scale an infrastructure.

Security researchers at Cisco Talos observed a surge in this malware campaign since September 2023, when trojan loaded emails sent from Brazil were using malicious Microsoft Installers (MSIs) to distribute the malware.

The report believes that Google Cloud Run gained prominence as a distribution tool among hackers as it’s inexpensive and has the ability to bypass various security systems.

The infection chain which starts with legitimate looking phishing emails are generally related to invoices, financial documents, or messages from local government or tax agencies.

Since the campaign is mainly LATAM-focused, the majority of emails are in Spanish. In one instance, the researchers found an email impersonating the Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina.

Nevertheless, the campaign is believed to be targeting victims in Europe and North America as well, as few instances were found where Italian was also used in the phishing emails.

The emails containing the malicious links redirect victims to a threat actor hosted web service on Google Cloud Run or end up downloading a malicious MSI installer.

The Talos researchers further explained that cases were seen where a single Google Cloud Storage Bucket was used to distribute multiple malwares. This signifies either a collaboration between the different malware families or a single hacker-controlled malwares.

The Google Cloud Run malware campaign mainly involves three malwares, i.e., Astaroth/Guildma, Mekotio, and Ousaban. ‘’Each is designed to infiltrate systems stealthily, establish persistence, and exfiltrate sensitive financial data that can be used for taking over banking accounts,’’ Talos revealed.

Nevertheless, of the three, Astaroth is considered the most dangerous, as it targets more than 300 institutions across 15 Latin American countries. Moreover, it was also observed collecting a variety of credentials related to cryptocurrency and bitcoin accounts.