Analysis Summary

A financially motivated threat actor based in Latin America, codenamed FLUXROOT, has been exploiting Google Cloud serverless projects to conduct credential phishing campaigns.

According to Google's biannual Threat Horizons Report, this abuse of cloud computing services highlights the appeal of serverless architectures for both developers and cybercriminals due to their flexibility, cost-effectiveness, and ease of use. Threat actors use these services to deliver and communicate with malware, host phishing pages, and execute malicious scripts tailored for serverless environments.

FLUXROOT's campaign specifically leveraged Google Cloud container URLs to host phishing pages aimed at harvesting login credentials for Mercado Pago, a popular online payments platform in the LATAM region. Known for distributing the Grandoreiro banking trojan, FLUXROOT has also utilized other legitimate cloud services such as Microsoft Azure and Dropbox in recent malware distribution campaigns. This trend underscores the growing exploitation of reputable cloud platforms by cybercriminals to enhance their attack vectors.

In a related case, another adversary identified as PINEAPPLE has weaponized Google's cloud infrastructure to propagate Astaroth (also known as Guildma) stealer malware targeting Brazilian users. PINEAPPLE created container URLs on legitimate Google Cloud serverless domains to host landing pages that redirected victims to malicious sites. They also attempted to bypass email gateway protections using mail forwarding services and manipulating email authentication mechanisms to evade detection.

Google has responded to these threats by taking down the malicious Google Cloud projects and updating its Safe Browsing lists to mitigate the activities. The weaponization of cloud services by threat actors continues to evolve driven by the increased adoption of cloud technologies across industries. This trend allows cybercriminals to blend their activities with normal network operations, complicating detection and defense efforts. The adaptability and ease of deployment of serverless platforms remain significant advantages for both legitimate and malicious uses, necessitating continuous vigilance and adaptive security measures.

Impact

• Code Execution
• Credential Theft
• Security Bypass

Remediation

• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure backup and recovery procedures are in place.