Cybersecurity Alert: Surge in Phishing Attacks Utilizing Google Cloud Services to Distribute Banking Trojans
In a concerning trend, cybersecurity experts have detected a significant increase in email phishing campaigns employing Google Cloud Run to spread various banking trojans across Latin America and Europe. Notable trojans such as Astaroth, Mekotio, and Ousaban are being delivered through this platform, which is typically viewed as a legitimate service for application deployment.
Cisco Talos researchers revealed that the infection chains associated with these malware families leverage malicious Microsoft Installer (MSI) files. These MSIs act as droppers or downloaders, eventually leading to the installation of the final malware payload. The distribution campaigns, observed since September 2023, utilize a consistent Google Cloud storage bucket, indicating a potential linkage among the cybercriminals involved in these operations.
Google Cloud Run, a managed computing platform, enables various operations without the overhead of managing infrastructure. The malicious use of this service has raised alarms, as it allows attackers to utilize affordable and effective distribution channels that many organizations do not actively monitor. The majority of phishing messages are traced back to systems in Brazil, with additional sources from the United States, Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. These emails often claim to be related to invoices or financial documents, sometimes impersonating local government tax agencies.
Embedded within the phishing emails are links that redirect recipients to URLs hosted on run[.]app. This ultimately leads to the delivery of ZIP archives containing the malicious MSI files, either directly or through a series of 302 redirects. The tactics employed by these threat actors also involve geofencing techniques to evade detection, redirecting U.S. visitors to legitimate websites when accessing the compromised URLs.
All three trojans—Astaroth, Mekotio, and Ousaban—specifically target financial institutions, monitoring users’ online activities, logging keystrokes, and capturing screenshots when banking websites are accessed. Ousaban has demonstrated a pattern of leveraging cloud services, having used platforms like Amazon S3 and Microsoft Azure for downloading payloads in the past.
This alarming spike in phishing activities coincides with the deployment of other malicious software families, such as DCRat and Remcos RAT, which are capable of harvesting sensitive data and taking control of compromised devices. Moreover, new tactics incorporating QR codes in phishing emails (termed “quishing”) have emerged, enticing potential victims to install malware on their mobile devices.
In a related development, the oil and gas sector has become a lucrative target, with attackers deploying an information stealer called Rhadamanthys. This malware capitalizes on phishing emails that use fictitious vehicle incident reports to lure victims into clicking links that redirect to compromised sites, ultimately delivering malicious payloads.
Using tools like Twilio’s SendGrid for email marketing, attackers can effectively bypass traditional security measures, sending convincing phishing emails without clear indicators of compromise. This method underscores the growing availability of phishing kits and services that democratize cybercrime, making such attacks increasingly accessible and sophisticated.
As businesses grapple with the evolving threat landscape, understanding the tactics and techniques identified in the MITRE ATT&CK framework is critical. The tactics employed in these phishing schemes include initial access through social engineering, persistence via the installation of malware, and efforts to evade detection. It is vital for organizations to adopt robust cybersecurity measures to mitigate these risks and protect sensitive information from rising threats.
