Google's Cloud Run Service Spreads Several Bank Trojans

Researchers flagged a worrying spike in campaigns dropping banking malware by abusing the Google Cloud Run Service -- and there are indications it's already spreading beyond its Latin American roots.

Google Cloud Run is a paid service that allows administrators to build on and deploy additional applications and services to Google Cloud from a single platform.

Cisco Talos researchers have observed an uptick in campaigns since September 2023 abusing Google Cloud Run to spread banking Trojans including the Astaroth, Mekiotio, and Ousaban strains. The cyber researchers added that overlapping timeframes, storage buckets, and distribution tactics, techniques, and procedures (TTPs) indicate at least some of the campaigns are linked.

Besides the uptick in sheer volume of malicious emails, the researchers note the campaign, initially focused on Latin America, has started to creep into Europe and North America. While most of the phishing emails were written in Spanish, the researchers noted that a number were written in Italian.

The Astaroth variant alone was observed targeting more than 300 institutions across 15 Latin American countries, the Cisco Talos team said, noting that most of the messages were being sent from Brazil.

How Google Cloud Run Is Abused

The cyberattack starts with an email.

"In most cases, these emails are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted," the Cisco Talos report said. "In [one example], the email purports to be from Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina, a country frequently targeted by recent malspam campaigns."

The emails contain malicious links that lead to threat actor controlled Cloud Run Web services. In many cases, the Trojan was dropped with a malicious Microsoft Installer directly from the adversarial Google Cloud Run Web service.

"It is worth noting that attackers are deploying cloaking mechanisms to avoid detection," Cisco Talos team explained. "One of the cloaking approaches observed is using geoplugin. Some Google Cloud Run domains were redirected to a page for checking Proxy and Crawler and a threat level is given based on the information collected."

The report provides indicators of compromise and mitigation advice.