Hackers abuse Google Cloud Run to distribute banking Trojans

Cisco Talos specialists discovered that since September 2023, hackers have been abusing the Google Cloud Run service to massively distribute banking Trojans Astaroth, Mekotio and Ousaban.

According to researchers, Google Cloud Run has recently become attractive to cybercriminals due to its low cost, as well as its ability to bypass standard security blocks and filters.

Typically, attacks begin with phishing emails disguised as genuine messages about bills, financial statements, or messages from local government and tax authorities. Most of the emails in the campaign studied by experts were written in Spanish, as the attacks were aimed at users from Latin American countries.

Hackers are abusing Google Cloud Run to spread banking Trojans

The hackers’ emails contain links that redirect potential victims to malicious web services hosted on Google Cloud Run. In some cases, the payload is delivered directly through MSI files, and in others, the service issues a 302 redirect to Google Cloud Storage, where the ZIP archive with the MSI file is stored.

If the victim runs the malicious MSI file, new components and payloads are downloaded and executed on the system (using the Windows BITSAdmin tool). After this, the malware is fixed on the victim’s system by adding LNK files (sysupdates.setup<random_string>.lnk) configured to execute a PowerShell command that runs the AutoIT script to the Startup folder.

This campaign uses three banking Trojans: Astaroth (aka Guildma), Mekotio, and Ousaban. Each of them is designed to surreptitiously penetrate a system and steal confidential financial data, which can then be used to seize other people’s bank accounts.

The hackers' emails contain links that redirect potential victims to malicious web services hosted on Google Cloud Run. In some cases, the payload is delivered directly through MSI files, and in others, the service issues a 302 redirect to Google Cloud Storage, where the ZIP archive with the MSI file is stored. If the victim runs the malicious MSI file, new components and payloads are downloaded and executed on the system (using the Windows BITSAdmin tool). After this, the malware is fixed on the victim’s system by adding LNK files (sysupdates.setup<random_string>.lnk) configured to execute a PowerShell command that runs the AutoIT script to the Startup folder. This campaign uses three banking Trojans: Astaroth (aka Guildma), Mekotio and Ousaban. Each of them is designed to surreptitiously penetrate a system and steal confidential financial data, which can then be used to seize other people's bank accounts.

Astaroth initially targeted only Brazilian users, but now the banker is targeting more than 300 financial institutions in 15 Latin American countries. It is also noted that the malware recently learned to collect credentials for cryptocurrency services. Using keylogging, screen capture, and clipboard monitoring, Astaroth not only steals sensitive data but is also able to intercept and manipulate traffic to obtain banking credentials.

Mekotio has also been active for several years and is focused on the Latin American region. The Trojan steals bank details, and personal data and commits fraudulent transactions. In addition, it is capable of manipulating victims’ browsers and redirecting them to phishing sites.

Ousaban is another banking Trojan that can intercept keystrokes, take screenshots, and spoof victims’ banking details through fake banking portals. The researchers write that Ousaban is delivered at a later stage in the Astaroth infection chain, meaning the operators of this malware may collaborate, or the same people are behind these bankers.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment