Researchers have reported a worrying spike in campaigns releasing banking malware abusing the Google Cloud Run service – and there are indications it is already spreading beyond its Latin American roots.
Google Cloud Run is a paid service that allows administrators to develop and deploy additional applications and services Google Cloud from a single platform.
Cisco Talos researchers have observed an increase in campaigns since September 2023 that abuse Google Cloud Run to spread banking Trojans including the Astaroth, Mekiotio, and Ousaban strains. The cyber researchers added that the overlap in timing, storage containers, and distribution tactics, techniques, and procedures (TTPs) indicates that at least some of the campaigns are linked.
In addition to the increased volume of malicious emails, researchers note that the campaign, initially focused on Latin America, has begun to spread to Europe and North America. Although most of the phishing emails were written in Spanish, the researchers noticed that some were written in Italian.
The Astaroth variant alone was observed targeting more than 300 institutions in 15 Latin American countries, the Cisco Talos team said, noting that most of the messages came from Brazil.
How Google Cloud Run is abused
The cyber attack starts with an email.
“In most cases, these emails are sent using themes related to invoices or financial and tax documents, and sometimes pretend to be sent from the local government tax agency in the targeted country,” the Cisco Talos report states. “In [one example]The email appears to come from the Federal Administration of Public Revenue (AFIP), the local government tax agency in Argentina, a country often targeted by recent spam campaigns.”
The emails contain malicious links that lead to Cloud Run web services controlled by the threat actors. In many cases, the Trojan was delivered with a malicious Microsoft Installer directly from the adversary Google Cloud Run web service.
“It is worth noting that attackers are implementing cloaking mechanisms to avoid detection,” the Cisco Talos team explained. “One of the observed cloaking approaches uses the geoplugin. Some Google Cloud Run domains have been redirected to a proxy and crawler checking page and are provided a threat level based on the information collected.”
The report provides indicators of compromise and mitigation recommendations.