February 20, 2024 at 03:54PM
Researchers have identified a concerning increase in the spread of banking malware through abusive use of Google Cloud Run Service. Campaigns have expanded beyond Latin America, with Cisco Talos noting an uptick in such attacks since September 2023. Malicious emails with links to threat-controlled Cloud Run Web services are used to deploy banking Trojans. These attacks are spreading beyond their original targets and are being cloaked to evade detection.
Based on the meeting notes, the key takeaways are:
– There has been a significant increase in the use of Google Cloud Run Service to spread banking malware, particularly targeting Latin America, with signs of it spreading to Europe and North America.
– The campaign is utilizing phishing emails, often posing as financial or tax-related documents and using cloaking mechanisms to evade detection.
– The Astaroth, Mekiotio, and Ousaban strains of banking Trojans have been observed being spread through this method, with the Astaroth variant alone targeting over 300 institutions across 15 Latin American countries.
The Cisco Talos team has provided indicators of compromise and mitigation advice to address these threats. It’s important for the team to review the indicators of compromise and to take necessary steps to mitigate the risk posed by these campaigns, including reviewing and potentially enhancing email security measures, educating employees on identifying phishing emails, and implementing additional layers of security to detect and block malicious links and installers.