Security researchers have identified a concerning trend wherein hackers are leveraging Google Cloud Run, a platform that allows users to deploy frontend and backend services, to distribute banking trojans like Astaroth, Mekotio, and Ousaban. Cisco Talos researchers have observed a significant increase in the misuse of Google’s service for malware distribution, particularly since September 2023. The attackers have been employing various tactics, including phishing emails with malicious links, to target potential victims, primarily in Latin American countries.
These phishing emails are crafted to appear legitimate, often masquerading as invoices, financial statements, or communications from local government and tax agencies. Most of the emails in these campaigns are in Spanish, reflecting the targeted countries in Latin America, although there are instances of Italian-language emails as well. Upon clicking the malicious links, victims are redirected to web services hosted on Google Cloud Run, where they encounter further malware payloads, sometimes delivered via MSI files or redirects to Google Cloud Storage locations.
The banking trojans deployed in these campaigns, namely Astaroth, Mekotio, and Ousaban, are designed to stealthily infiltrate systems, establish persistence, and steal sensitive financial data. Astaroth, known for its advanced evasion techniques, has expanded its target range beyond Brazil to over 300 financial institutions across 15 Latin American countries. Similarly, Mekotio focuses on stealing banking credentials and performing fraudulent transactions, while Ousaban specializes in keylogging, screen capture, and phishing for banking credentials using fake banking portals.
The collaboration observed between threat actors behind Astaroth and Ousaban, as indicated by the latter being delivered in later stages of the former’s infection chain, suggests a coordinated effort or a single threat actor managing both malware families. Despite the severity of these threats, there has been no clear response from Google regarding measures to counter this malicious activity, leaving security experts concerned about the ongoing risk posed by these banking trojans distributed via Google Cloud Run.
