Rewterz Threat Alert – Google Cloud Run Weaponized to Distribute Banking Trojans in Europe and Latin America – Active IOCs

Severity

High

Analysis Summary

A recent spike in phishing emails has been observed to leverage Google Cloud Run service for propagating multiple banking trojans like Mekotio, Astaroth (aka Guildma), and Ousaban (aka Javali) to mainly target Europe and Latin America (LATAM).

The infection chains linked with these malware families usually utilize malicious Microsoft Installers (MSIs) that behave like downloaders or droppers for the final malware payloads. These high-volume campaigns distributing malware have been observed since September 2023 and use the same storage bucket found in Google Cloud for spreading the malware, which suggests possible attribution between the threat actors responsible for the distribution campaigns.

Google Cloud Run is a platform that allows users to run backend and frontend services, deploy websites and applications, batch jobs, and queue processing workloads without the need to scale or manage the infrastructure manually. Attackers might see Google Cloud Run as a cheap but effective way to use distribution infrastructure on platforms that most organizations may not prevent access to from internal systems.

“The language distribution of the emails observed across these campaigns also demonstrates a strong focus on LATAM with the overwhelming majority of emails being sent in Spanish. Lower-volume activity also appears to be targeting Italian-speaking victims,” said the researchers.

The majority of the origin for the phishing emails is observed to be from Brazil, followed by the U.S., Mexico, Russia, Argentina, South Africa, Ecuador, Spain, France, and Bangladesh. These emails contain lures related to financial and tax documents or invoices, and in some cases, pretend to be from local government tax agencies. Within these messages are embedded links to a website that results in the delivery of a ZIP archive carrying a malicious MSI from 302 redirects to a Google Cloud Storage location.

The cybercriminals also attempt to evade detection by leveraging geofencing tactics where they redirect visitors to these URLs to a legitimate site such as Google. Other than using the same infrastructure to deliver both Astaroth and Mekotio, the infection chain linked with the latter behaves as a conduit to distribute Ousaban. All three of these malware are made to especially target financial institutions and can track the users’ web browsing activity as well as take screenshots and log keystrokes when any of the targeted bank websites are visited.

The development comes from phishing campaigns that spread malware families like Remcos RAT, DCRAT, and DarkVNC, capable of stealing sensitive data and taking full control of infected systems. It also follows a rise in attackers utilizing QR codes in phishing emails (aka quishing) to lure unsuspecting users into downloading malware onto their mobile devices.

Recently, phishing campaigns have been focusing on the oil and gas industry to spread Rhadamanthys, an information stealer that has currently reached version 0.6.0 and shows that it is updated regularly by its developers. The initial access vector of the campaign is through a phishing email that uses a vehicle incident report to trick users into clicking on an embedded link that exploits an open redirect on a legitimate domain, usually Google Images or Google Maps.

All of these phishing activities are fueled further by how commonly available phishing kits are, like Tycoon and Greatness. They are a scalable and cost-effective means for threat actors to launch malicious campaigns. For example, Tycoon phishing-as-a-service is marketed and sold via Telegram for as low as $120. Some of its main selling features are the ability to bypass two-factor authentication in Microsoft and leverage Cloudflare to evade antibot detection, which ensures the persistence of phishing links that go undetected.

Impact

• Sensitive Data Theft
• Financial Loss
• Keylogging

Indicators of Compromise

MD5

• 6c523a8c0c12191123be41c80afc239a
• 499dc2cc8da0538636d189cc9aa693d7
• 3719d4fcd00c79edb7264d5745a13b49
• 159aa77a900be29de6d71d003f328ea4
• 8ddc64a6e8c98f816fa7876b0fe90fb3
• 7dc660a5e7b1697ad4a481215a45872f
• 9b4388ace3ebe6df4b447535dd06d1d9
• 96d2979532eb0a61b25d517188187d80
• 15a536317e1241ed81d6deadc5afc0c4

SHA-256

• ed9f268ba7acdcbaeedd40a5c538c6a2637fd41a546363ed7587a6c2e5cdf02b
• b8afd6640de8feed1774e8db3d428c0f1bca023324bb7de9a5eb99db2ea84e26
• 8d912a99076f0bdc4fcd6e76c51a1d598339c1502086a4381f5ef67520a0ddf2
• 094e722972e6e4d2858dd2447d30c7025e7446f4ca60a7dc5a711f906ab5b1a0
• 1a9113491deb9f21c590de4f7e9e370594e47431be482b32f8a5234ad7545a0b
• 05ef393f6e6d3f8e1ba15eec63a1c2121744400d322a03c9c8e26c1ed58cb6a7
• 6d7148b180367e84763690fc57cbd526433026f50dc0c029b00a714ba1660cd3
• b45d8630d54c8d39e3554e0c5a71003d818617e07953520a8638f0935f04dc85
• 6e1434e0f8cd402f8acb0aade942c86d6b62cd6aa3927053f25fdf57ed384b47

SHA-1

• d3925a250fa96e9cd9a678d4b980525da2143ee6
• 3b62bbbfb760a9521dd5084028adf63bfe0819b8
• 19e724fab8080e566c307403fd67e52f667d2da1
• b7e9b9e09b493fd477df4af869a4ee3cfa085f97
• 793c4e0112d1ad1f48a30b6b903a4702e3b97d2c
• e5e9934de782ed3f32ab9eddef2aa808fc30f521
• 0327420e16e0bd8276e28afbc118a59e7604b3c3
• 899a1a983dc1db81a03fc411997c89d2d95f9bac
• 54b5dbd3619ce44d61d79c7ae2bf09c7109fc94c

Domain Name

• xwago.creativeplus.my.id
• wae4w.mariomanagement.biz.id
• h4aowa.mariostrategy.my.id
• yaiinr.actiongroup.my.id
• caiiaf.businesswise.biz.id

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Keep operating systems and software up to date as banking trojans often exploit vulnerabilities in software and operating systems. Keeping these up to date can help prevent vulnerabilities from being exploited.
• Implement strong password policies: banking malware often relies on stolen login credentials to access sensitive information. Implementing strong password policies and multifactor authentication can make it more difficult for attackers to gain access.
• Provide regular security awareness training for employees that can help them recognize phishing emails and other types of social engineering attacks that are commonly used to spread banking malware.