Teacher
Professional
- Messages
- 2,670
- Reaction score
- 775
- Points
- 113
Convenient web storage means big financial losses.
Analysts warn that in recent years, hackers have often abused the Google Cloud Run service to mass distribute banking Trojans such as Astaroth, Mekotio and Ousaban.
Google Cloud Run allows users to deploy frontend and backend services, websites, or applications, and handle workloads. At the same time, you don't need to manage infrastructure and scaling.
Researchers from Cisco Talos have noticed a sharp increase in the use of the Google service by attackers to distribute malware starting in September 2023. Then Brazilian hackers launched campaigns to send out MSI installers to deliver malicious payloads.
According to experts, Google Cloud Run has become an attractive platform for cybercriminals due to its cost-effectiveness and the ability to bypass standard security tools.
Attack mechanism
Attacks begin by sending phishing emails to potential victims. The letters are carefully thought out: they are no different from official bank checks, financial reports, and notifications from government agencies.
According to the researchers, most of the emails are in Spanish, as they are aimed at Latin America. But they are also found in Italian. The emails contain links that redirect victims to malicious web services hosted on Google Cloud Run.
In some cases, malicious programs are delivered via MSI files. In other cases, the service issues a 302 redirect to Google Cloud Storage, which contains a ZIP archive with malicious MSI.
When running MSI files, new Trojan components are downloaded and installed. The second stage is delivered using the legitimate Windows BITSAdmin tool.
Finally, the program establishes a permanent presence on the victim's system by adding LNK files to the startup folder. They are configured to run a PowerShell command that executes a malicious script.
Malware Details
The campaigns feature three banking Trojans: Astaroth/Guildma, Mekotio, and Ousaban. Each is designed to secretly hack into systems, establish a permanent presence, and steal confidential information to break into victims ' bank accounts.
Astaroth uses advanced detection evasion techniques. Initially targeted in Brazil, it now targets more than 300 financial institutions in 15 Latin American countries. Recently, the Trojan started collecting data to access cryptocurrency exchange services.
Using key capture, screen and clipboard capture, Astaroth not only steals confidential data, but also monitors Internet traffic to steal usernames and passwords in bank accounts.
Mekotio has also been active for several years and is aimed at Latin America. It hacks bank accounts, and also carries out illegal transactions. This malware often uses phishing links to deceive users.
The Ousaban trojan also uses phishing and account hacking via fake banking portals. Cisco Talos notes that Ousaban is delivered at a later stage of the Astaroth attack. This means that the operators of these programs may be related or even the same person.
Google representatives thanked the researchers for their work and promised to strengthen security measures: "We have removed suspicious links and are exploring options for strengthening protection to prevent such malicious activity in the future."
Analysts warn that in recent years, hackers have often abused the Google Cloud Run service to mass distribute banking Trojans such as Astaroth, Mekotio and Ousaban.
Google Cloud Run allows users to deploy frontend and backend services, websites, or applications, and handle workloads. At the same time, you don't need to manage infrastructure and scaling.
Researchers from Cisco Talos have noticed a sharp increase in the use of the Google service by attackers to distribute malware starting in September 2023. Then Brazilian hackers launched campaigns to send out MSI installers to deliver malicious payloads.
According to experts, Google Cloud Run has become an attractive platform for cybercriminals due to its cost-effectiveness and the ability to bypass standard security tools.
Attack mechanism
Attacks begin by sending phishing emails to potential victims. The letters are carefully thought out: they are no different from official bank checks, financial reports, and notifications from government agencies.
According to the researchers, most of the emails are in Spanish, as they are aimed at Latin America. But they are also found in Italian. The emails contain links that redirect victims to malicious web services hosted on Google Cloud Run.
In some cases, malicious programs are delivered via MSI files. In other cases, the service issues a 302 redirect to Google Cloud Storage, which contains a ZIP archive with malicious MSI.
When running MSI files, new Trojan components are downloaded and installed. The second stage is delivered using the legitimate Windows BITSAdmin tool.
Finally, the program establishes a permanent presence on the victim's system by adding LNK files to the startup folder. They are configured to run a PowerShell command that executes a malicious script.
Malware Details
The campaigns feature three banking Trojans: Astaroth/Guildma, Mekotio, and Ousaban. Each is designed to secretly hack into systems, establish a permanent presence, and steal confidential information to break into victims ' bank accounts.
Astaroth uses advanced detection evasion techniques. Initially targeted in Brazil, it now targets more than 300 financial institutions in 15 Latin American countries. Recently, the Trojan started collecting data to access cryptocurrency exchange services.
Using key capture, screen and clipboard capture, Astaroth not only steals confidential data, but also monitors Internet traffic to steal usernames and passwords in bank accounts.
Mekotio has also been active for several years and is aimed at Latin America. It hacks bank accounts, and also carries out illegal transactions. This malware often uses phishing links to deceive users.
The Ousaban trojan also uses phishing and account hacking via fake banking portals. Cisco Talos notes that Ousaban is delivered at a later stage of the Astaroth attack. This means that the operators of these programs may be related or even the same person.
Google representatives thanked the researchers for their work and promised to strengthen security measures: "We have removed suspicious links and are exploring options for strengthening protection to prevent such malicious activity in the future."
