Skip to content Skip to footer

Banking trojans are focusing on Latin America and Europe using Google Cloud Run as their platform of choice.

Cybersecurity researchers have recently warned about a significant rise in email phishing campaigns utilizing the Cloud Run service to propagate various banking trojans across Latin America (LATAM) and Europe. The trojans include Astaroth (also known as Guildma), Mekotio, and Ousaban (also known as Javali), delivered to selected targets. Cisco Talos researchers have disclosed that the infection chains associated with these malware families use malicious Microsoft Installers (MSIs) that work as droppers or downloaders for the final malware payload(s). The high-volume malware distribution campaigns have been observed since September 2023 and have employed the same storage bucket within Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns.

Cloud Run is a fully managed compute platform that enables its users to run frontend and backend services, deploy websites and applications, batch jobs, and queue processing workloads without the need to manage or scale the infrastructure. Adversaries may view Cloud Run as an inexpensive yet effective way to deploy distribution infrastructure on platforms that most organizations likely do not prevent internal systems from accessing, as per the researchers.

Most of the systems used to send phishing messages originate from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. The emails bear themes related to invoices or financial and tax documents, sometimes purporting to be from local government tax agencies. Embedded within these messages are links to a website hosted on run[.]app, resulting in the delivery of a ZIP archive containing a malicious MSI file directly or via 302 redirects to a Cloud Storage location, where the installer is stored.

The threat actors have also been observed attempting to evade detection using geofencing tricks by redirecting visitors to these URLs to a legitimate site like when accessing them with a U.S. IP address. Besides leveraging the same infrastructure to deliver Mekotio and Astaroth, the infection chain associated with the latter acts as a conduit to distribute Ousaban.

Astaroth, Mekotio, and Ousaban are all designed to single out financial institutions, keeping tabs on users' web browsing activity, logging keystrokes, and taking screenshots should one of the target bank websites be open. Ousaban has a history of weaponizing cloud services to its advantage, having previously employed Amazon S3 and Microsoft Azure to download second-stage payloads and Docs to retrieve command-and-control (C2) configuration.

These phishing campaigns come amid a rise in malware families such as DCRat, Remcos RAT, and DarkVNC, which are capable of harvesting sensitive data and taking control of compromised hosts. It also follows an uptick in threat actors deploying QR codes in phishing and email-based attacks (aka quishing) to trick potential victims into installing malware on their mobile devices.

In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user's login credentials when entered. QR code attacks are hazardous because they move the attack vector of a protected computer onto the target's mobile device, which usually has fewer security protections and ultimately has the sensitive information that attackers are after.

Phishing campaigns have also set their sights on the oil and gas sector to deploy an information stealer called Rhadamanthys, which has reached version 0.6.0, highlighting a steady stream of patches and updates by its developers. The campaign begins with a phishing email using a vehicle incident report to lure victims into interacting with an embedded link that abuses an open redirect on a legitimate domain, primarily Maps or . Users who click on the link are then redirected to a website hosting a bogus PDF file, which, in reality, is a clickable image that contacts a GitHub repository and downloads a ZIP archive containing the stealer executable.

Once a victim attempts to interact with the executable, the malware will unpack and start a connection with a command-and-control (C2) location that collects any stolen credentials, cryptocurrency wallets, or other sensitive information. Other campaigns have abused email marketing tools like Twilio's SendGrid to obtain client mailing lists and use stolen credentials to send out convincing-looking phishing emails. This campaign is particularly insidious because the phishing emails bypass traditional security measures. Since they are sent through a legitimate service and contain no apparent signs of phishing, they may evade detection by automatic filters.

The easy availability of phishing kits such as Greatness and Ty further fuels phishing activities.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

There is no right and wrong. There's only fun and boring.The Plague

Deitasoft © 2024. All Rights Reserved.