Security experts have issued a warning about hackers exploiting Google Cloud Run to distribute significant amounts of banking trojans such as Astaroth, Mekotio, and Ousaban.
Google Cloud Run enables users to deploy various services, websites, or applications without the need to manage infrastructure or worry about scaling efforts.
Starting from September 2023, researchers from Cisco Talos observed a notable surge in the misuse of Google's service for spreading malware. Brazilian actors initiated campaigns utilizing MSI installer files to distribute malware payloads. According to the researchers' findings, cybercriminals are increasingly drawn to Google Cloud Run due to its cost efficiency and its ability to circumvent conventional security measures.
The attack methodology typically begins with phishing emails sent to potential victims, disguised to resemble authentic communications such as invoices, financial statements, or messages from local government and tax authorities. While most emails in these campaigns are in Spanish to target Latin American countries, some also use Italian. These emails contain links that redirect to malicious web services hosted on Google Cloud Run.
In certain instances, the malware payload is delivered through MSI files, while in others, the service redirects to a Google Cloud Storage location, housing a ZIP archive containing a malicious MSI file. Upon execution of these malicious files, additional components and payloads are downloaded and executed on the victim's system.
Furthermore, the malware establishes persistence on the victim's system to survive reboots by creating LNK files in the Startup folder, configured to execute a PowerShell command that triggers the infection script.
The campaigns exploiting Google Cloud Run involve three primary banking trojans: Astaroth/Guildma, Mekotio, and Ousaban. Each of these trojans is designed to infiltrate systems covertly, establish persistence, and extract sensitive financial data, which can be utilized for unauthorized access to banking accounts.
Astaroth employs advanced evasion techniques and has expanded its targets beyond Brazil to encompass over 300 financial institutions across 15 Latin American countries. It has recently begun targeting credentials for cryptocurrency exchange services.
Similarly, Mekotio, active for several years, focuses on the Latin American region, specializing in stealing banking credentials, personal information, and executing fraudulent transactions.
Ousaban, another banking trojan, conducts keylogging, captures screenshots, and engages in phishing for banking credentials using counterfeit banking portals. Cisco Talos suggests a potential collaboration between the operators of Astaroth and Ousaban due to the latter being delivered in the later stages of the former's infection chain.
In response to these findings, Google has taken action by removing the malicious links and is exploring ways to enhance its mitigation efforts to combat such malicious activities.