Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

A surging bank malware campaign abuses Google Cloud Run and targets Latin America, with indications that it's hitting other regions as well, researchers warn.

Dark Reading Staff, Dark Reading

February 20, 2024

2 Min Read
Google Cloud logo on smartphone screen
Source: SOPA Images via Alamy Stock Photo

Researchers flagged a worrying spike in campaigns dropping banking malware by abusing the Google Cloud Run Service -- and there are indications it's already spreading beyond its Latin American roots.

Google Cloud Run is a paid service that allows administrators to build on and deploy additional applications and services to Google Cloud from a single platform.

Cisco Talos researchers have observed an uptick in campaigns since September 2023 abusing Google Cloud Run to spread banking Trojans including the Astaroth, Mekiotio, and Ousaban strains. The cyber researchers added that overlapping timeframes, storage buckets, and distribution tactics, techniques, and procedures (TTPs) indicate at least some of the campaigns are linked.

Besides the uptick in sheer volume of malicious emails, the researchers note the campaign, initially focused on Latin America, has started to creep into Europe and North America. While most of the phishing emails were written in Spanish, the researchers noted that a number were written in Italian.

The Astaroth variant alone was observed targeting more than 300 institutions across 15 Latin American countries, the Cisco Talos team said, noting that most of the messages were being sent from Brazil.

How Google Cloud Run Is Abused

The cyberattack starts with an email.

"In most cases, these emails are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted," the Cisco Talos report said. "In [one example], the email purports to be from Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina, a country frequently targeted by recent malspam campaigns."

The emails contain malicious links that lead to threat actor controlled Cloud Run Web services. In many cases, the Trojan was dropped with a malicious Microsoft Installer directly from the adversarial Google Cloud Run Web service.

"It is worth noting that attackers are deploying cloaking mechanisms to avoid detection," Cisco Talos team explained. "One of the cloaking approaches observed is using geoplugin. Some Google Cloud Run domains were redirected to a page for checking Proxy and Crawler and a threat level is given based on the information collected."

The report provides indicators of compromise and mitigation advice.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights