Banking Trojans Target Latin America and Europe via Google Cloud Run

Banking Trojan

Cybersecurity researchers warn of a spike in email phishing campaigns that weaponize the Google Cloud Run service to deliver various banking Trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) to targets in Latin America (LATAM) and Europe.

“The infection chains associated with these malware families utilize malicious Microsoft Installers (MSIs) that act as droppers or downloaders for the final malware payload(s),” Cisco Talos researchers said. revealed last week.

The large-scale malware distribution campaigns observed since September 2023 use the same storage bucket within Google Cloud for distribution, indicating possible links between the threat actors behind the distribution campaigns.

Google Cloud Run is a managed computing platform allowing users to run frontend and backend services, run jobs in batches, deploy websites and applications, and process queued workloads without having to manage or scale infrastructure.

“Adversaries may see Google Cloud Run as a cheap but effective way to deploy distribution infrastructure on platforms where most organizations are unlikely to have access to internal systems,” the researchers said.

The majority of systems used to send phishing messages originate in Brazil, followed by the US, Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain and Bangladesh. The emails have themes related to invoices or financial and tax documents, in some cases claiming to be from local tax authorities.


These messages contain links to a website hosted on Run[.]app, resulting in the delivery of a ZIP archive containing a malicious MSI file directly or via 302 redirects to a Google Cloud Storage location, where the installer is stored.

It has also been observed that the threat actors try to evade detection using geofencing tricks by redirecting visitors to these URLs to a legitimate site like Google when they visit it with a US IP address.

In addition to using the same infrastructure to deliver both Mekotio and Astaroth, the infection chain associated with the latter acts as a conduit for Ousaban’s distribution.

Astaroth, Mekotio, and Ousaban are all designed to distinguish financial institutions, monitor users’ browsing activity, record keystrokes, and take screenshots when any of the target bank’s websites are open.

Ousaban has a history of weaponizing cloud services to its advantage, as it had previously used Amazon S3 and Microsoft Azure to download second-stage payloads, and Google Docs to retrieve the command-and-control (C2) configuration.

The development comes amid phishing campaigns spreading malware families such as DCRat, Remcos RATAnd DarkVNC capable of collecting sensitive data and taking control of compromised hosts.

It also follows an increase in the number of threat actors deploying QR codes in phishing and email-based attacks (also known as quishing) to trick potential victims into installing malware on their mobile devices.

Banking Trojan

“In a separate attack, adversaries sent spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that ultimately steal the user’s credentials when entered,” Talos said. said.

“QR code attacks are particularly dangerous because they move the attack vector from a protected computer to the target’s personal mobile device, which typically has fewer security measures and ultimately holds the sensitive information attackers are after.”

Phishing campaigns have also set their eyes on the oil and gas sector to deploy an information thief called Rhadamanthys, which has currently reached version 0.6.0 and has a steady stream of patches and updates by its developers.

“The campaign begins with a phishing email using a vehicle incident report to trick victims into interacting with an embedded link that exploits an open redirect on a legitimate domain, primarily Google Maps or Google Images,” says Cofense . said.


Users who click the link are then redirected to a website that hosts a fake PDF file, which is actually a clickable image that contacts a GitHub repository and downloads a ZIP archive containing the stealer’s executable .

“Once a victim attempts to interact with the executable, the malware will unzip and establish a connection to a command-and-control (C2) location that collects any stolen credentials, cryptocurrency wallets, or other sensitive information,” it added the company to it.

Other campaigns have taken advantage of email marketing tools such as Twilio’s SendGrid to obtain customer mailing lists and exploit stolen credentials to send convincing-looking phishing emails, Kaspersky said.

“What makes this campaign particularly treacherous is that the phishing emails bypass traditional security measures,” the Russian cybersecurity company said. noted. “Because they are sent via a legitimate service and do not contain obvious signs of phishing, they can evade detection by automatic filters.”

These phishing activities are further fueled by the easy availability of phishing kits such as Greatness and Tycoon, which have become a cost-effective and scalable means for aspiring cybercriminals to launch malicious campaigns.

“Tycoon group [phishing-as-a-service] is sold and marketed through Telegram for as little as $120,” says Trustwave SpiderLabs researcher Rodel Mendrez said last week, noting that the service was first established around August 2023.

“Key selling features include the ability to bypass Microsoft two-factor authentication, achieve ‘top-level link speed’ and leverage Cloudflare to bypass anti-bot measures, ensuring the persistence of undetected phishing links.”

#Banking #Trojans #Target #Latin #America #Europe #Google #Cloud #Run

Notify of
Inline Feedbacks
View all comments
Previous Post
AI Accidents

Three tips to protect your secrets from AI mishaps

Next Post
LockBit Ransomware Group

The LockBit Ransomware group resurfaces after taking down law enforcement

Related Posts