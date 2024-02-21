



Researchers said there has been an alarming spike in campaigns exploiting Google Cloud Run Service to drop banking malware, and there are signs that the attacks are already spreading beyond their Latin American roots.

Google Cloud Run is a paid service that allows administrators to build and deploy additional applications and services to Google Cloud from a single platform.

Cisco Talos researchers have observed an increase in campaigns exploiting Google Cloud Run to spread banking Trojans such as Astaroth, Mekiotio, and Ousaban stocks since September 2023. Cyber ​​researchers added that overlapping time frames, storage buckets, and delivery tactics, techniques, and procedures (TTPs) indicate that at least some of the campaigns are linked.

In addition to the huge increase in the volume of malicious emails, researchers note that the campaign, initially focused on Latin America, has also begun to creep into Europe and North America. Most of the phishing emails were written in Spanish, but many were written in Italian, the researchers noted.

The Astaroth variant alone was observed targeting over 300 institutions in 15 countries in Latin America, with most of the messages coming from Brazil, according to the Cisco Talos team.

How Google Cloud Run can be exploited

Cyberattacks start with email.

“These emails are almost always sent using themes related to invoices and financial/tax documents, and are sent by local government tax authorities in the targeted country,” the Cisco Talos report said. “It may even be disguised as if it was sent.” “in [one example]The email purports to come from the Administracin Federation de Ingresos Pblicos (AFIP), Argentina's municipal tax office, which has often been the target of recent malspam campaigns. ”

This email contains a malicious link that directs you to a Cloud Run web service controlled by the threat actor. This Trojan was often dropped directly from the hostile Google Cloud Run web service using a malicious Microsoft installer.

“It is noteworthy that attackers are deploying cloaking mechanisms to avoid detection,” the Cisco Talos team explained. “One of the cloaking techniques observed is the use of geoplugins. Some Google Cloud Run domains are redirected to a page to check for proxies and crawlers, and the threat level is determined based on the information collected. will be shown.”

This report provides indicators of compromise and mitigation advice.

