February 26, 2024 at 05:15AM
Cybersecurity researchers are cautioning about a surge in email phishing campaigns utilizing Google Cloud Run to distribute banking trojans Astaroth, Mekotio, and Ousaban. Malware distribution campaigns using the same Google Cloud storage bucket have been observed since September 2023. Phishing activities are further facilitated by the availability of phishing kits like Greatness and Tycoon.
Based on the meeting notes, it is clear that there is a significant increase in email phishing campaigns leveraging the Google Cloud Run service to distribute various banking trojans across Latin America and Europe. The attackers are utilizing malicious Microsoft Installers (MSIs) as droppers or downloaders for the final malware payloads. These campaigns are observed since September 2023 and are utilizing the same storage bucket within Google Cloud for propagation.
The phishing messages originate from various countries, with a majority originating from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. The emails typically bear themes related to invoices or financial and tax documents.
The attackers are employing geofencing tricks to redirect visitors to legitimate sites like Google when accessing phishing URLs with a U.S. IP address, attempting to evade detection. Furthermore, they are utilizing the same infrastructure to distribute multiple malware families and are targeting financial institutions by monitoring users’ web browsing activity and logging keystrokes.
In addition to Google Cloud Run, threat actors have historically leveraged other cloud services such as Amazon S3, Microsoft Azure, and Google Docs to download payloads and retrieve command-and-control (C2) configuration.
Furthermore, there are observations of phishing campaigns deploying QR codes to trick potential victims into installing malware on their mobile devices. These attacks are particularly dangerous as they move the attack vector onto the target’s personal mobile device, which usually has fewer security protections.
Phishing campaigns have also targeted the oil and gas sector to deploy an information stealer called Rhadamanthys. Phishing activities are further supported by the easy availability of phishing kits such as Greatness and Tycoon, making malicious campaigns a cost-effective and scalable means for cybercriminals.
It is crucial for organizations to be vigilant about these emerging threats and to update their security measures to mitigate the risks posed by these sophisticated phishing campaigns.