Hackers abuse Google Cloud Run in massive banking trojan campaign


Security experts are sounding the alarm as hackers exploit Google Cloud Run to disseminate vast quantities of banking trojans such as Astaroth, Mekotio, and Ousaban. Google Cloud Run, a service enabling users to deploy frontend and backend services without managing infrastructure, has become a prime target for cybercriminals seeking cost-effective and evasive means of malware distribution.

According to Cisco Talos researchers, the surge in malicious activity leveraging Google's service was first detected in September 2023, with Brazilian actors initiating campaigns utilising MSI installer files to deliver malware payloads. The attractiveness of Google Cloud Run to hackers lies in its ability to bypass conventional security measures while remaining economical. The good news is that Google never relents in fixing its security flaws.

The assault typically commences with phishing emails meticulously crafted to mimic legitimate communications, often appearing as invoices, financial statements, or correspondence from local governmental and tax entities. While primarily in Spanish to target Latin American countries, instances of Italian language usage have also been observed.

These deceptive emails contain links redirecting victims to malicious web services hosted on Google Cloud Run. Some instances involve the delivery of payloads via MSI files, while others utilise 302 redirects to Google Cloud Storage locations housing ZIP archives containing malicious MSI files.

Upon execution of the malicious MSI files, additional components and payloads are downloaded and executed on the victim's system. Notably, the second-stage payload delivery exploits the legitimate Windows tool 'BITSAdmin.' The malware then establishes persistence on the system by creating LNK files in the Startup folder, configured to execute a PowerShell command activating the infection script. Unguided networks are easy targets for hackers. Opt for Expert VPN.

The campaign encompasses three prominent banking trojans: Astaroth/Guildma, Mekotio, and Ousaban, each tailored to surreptitiously infiltrate systems, establish persistence, and exfiltrate sensitive financial data for fraudulent activities. Astaroth, initially targeting Brazilian victims, has expanded its scope to over 300 financial institutions across 15 Latin American countries, including cryptocurrency exchange services.

Mekotio, a long-standing threat in the Latin American region, specialises in stealing banking credentials, personal information, and executing fraudulent transactions. It possesses capabilities to manipulate web browsers, redirecting users to phishing sites for further exploitation.

Meanwhile, Ousaban, capable of keylogging, capturing screenshots, and phishing for banking credentials, is often delivered in the later stages of the Astaroth infection chain. This suggests potential collaboration between threat actors or a single entity overseeing both malware families.

In response to inquiries, Google has stated its appreciation for researchers' efforts in identifying and reporting the misuse of Cloud Run. The company has promptly removed the malicious links and is actively enhancing mitigation strategies to combat such nefarious activities.