Googles Cloud Run Service Spreads Several Bank Trojans

  /     /     /  
Publicated : 23/11/2024   Category : security


Googles Cloud Run Service Spreads Several Bank Trojans


A surging bank malware campaign abuses Google Cloud Run and targets Latin America, with indications that its hitting other regions as well, researchers warn.



Researchers flagged a worrying spike in campaigns dropping banking malware by abusing the Google Cloud Run Service -- and there are indications its already spreading beyond its Latin American roots.
Google Cloud Run is a paid service that allows administrators to build on and deploy additional applications and services to
Google Cloud from a single platform
.
Cisco Talos researchers have observed an uptick in campaigns since September 2023 abusing Google Cloud Run to spread banking Trojans including the Astaroth, Mekiotio, and Ousaban strains. The cyber researchers added that overlapping timeframes, storage buckets, and distribution tactics, techniques, and procedures (TTPs) indicate at least some of the campaigns are linked.
Besides the uptick in sheer volume of malicious emails, the researchers note the campaign, initially focused on Latin America, has started to creep into Europe and North America. While most of the phishing emails were written in Spanish, the researchers noted that a number were written in Italian.
The Astaroth variant alone was observed targeting more than 300 institutions across 15 Latin American countries, the Cisco Talos team said, noting that most of the messages were being sent from Brazil.
The cyberattack starts with an email.
In most cases, these emails are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted, the Cisco Talos report said. In [one example], the email purports to be from Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina, a country frequently targeted by recent malspam campaigns.
The emails contain malicious links that lead to threat actor controlled Cloud Run Web services. In many cases, the Trojan was dropped with a malicious Microsoft Installer directly from the adversarial Google Cloud Run Web service.
It is worth noting that attackers are deploying cloaking mechanisms to avoid detection, Cisco Talos team explained. One of the cloaking approaches observed is using geoplugin. Some Google Cloud Run domains were redirected to a page for checking Proxy and Crawler and a threat level is given based on the information collected.
The report
provides indicators of compromise and mitigation advice.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Googles Cloud Run Service Spreads Several Bank Trojans