Googles Cloud Run Service Spreads Several Bank Trojans

A surging bank malware campaign abuses Google Cloud Run and targets Latin America, with indications that its hitting other regions as well, researchers warn.

Researchers flagged a worrying spike in campaigns dropping banking malware by abusing the Google Cloud Run Service -- and there are indications its already spreading beyond its Latin American roots.
Google Cloud Run is a paid service that allows administrators to build on and deploy additional applications and services to
Google Cloud from a single platform
.
Cisco Talos researchers have observed an uptick in campaigns since September 2023 abusing Google Cloud Run to spread banking Trojans including the Astaroth, Mekiotio, and Ousaban strains. The cyber researchers added that overlapping timeframes, storage buckets, and distribution tactics, techniques, and procedures (TTPs) indicate at least some of the campaigns are linked.
Besides the uptick in sheer volume of malicious emails, the researchers note the campaign, initially focused on Latin America, has started to creep into Europe and North America. While most of the phishing emails were written in Spanish, the researchers noted that a number were written in Italian.
The Astaroth variant alone was observed targeting more than 300 institutions across 15 Latin American countries, the Cisco Talos team said, noting that most of the messages were being sent from Brazil.
The cyberattack starts with an email.
In most cases, these emails are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted, the Cisco Talos report said. In [one example], the email purports to be from Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina, a country frequently targeted by recent malspam campaigns.
The emails contain malicious links that lead to threat actor controlled Cloud Run Web services. In many cases, the Trojan was dropped with a malicious Microsoft Installer directly from the adversarial Google Cloud Run Web service.
It is worth noting that attackers are deploying cloaking mechanisms to avoid detection, Cisco Talos team explained. One of the cloaking approaches observed is using geoplugin. Some Google Cloud Run domains were redirected to a page for checking Proxy and Crawler and a threat level is given based on the information collected.
The report
provides indicators of compromise and mitigation advice.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Googles Cloud Run Service Spreads Several Bank Trojans