Hackers are increasingly turning to Google Cloud Run to deploy their distribution infrastructure to run multiple dangerous malware and scam campaigns that are able successfully bypass many security solutions.
Google Cloud Run is the search engine giant’s service allowing developers to build and deploy different websites and web services on a fully managed platform.
It offers $300 in free credits to new customers, and allows for two million free web requests per month more than enough for most threat actors. What’s more, as Google is considered a trusted service provider, traffic coming from its tools will usually be allowed past different gatekeepers.
Impersonating the taxman
However, security experts from Cisco Talos has revealed that since September 2023, they have observed a notable increase in malicious emails using Google Cloud Run to distribute notorious banking trojans including Astaroth, Mekotio, and Ousaban.
The majority of the victims are located in Latin American countries, with Brazil being the country from which most of the emails were being sent with a few lowervolume campaigns targeting victims in Europe, and North America.
Talos further explained that a single Google Cloud Storage Bucket was used to deliver multiple malware families simultaneously, suggesting that multiple threat actors could actually be collaborating on a single Google Cloud Run instance.
In the attack chain, the threat actors will send out malicious emails, disguised as financial or taxrelated documents. Sometimes, they’ll impersonate local government tax agencies, too. Targets who fall for the ruse and download the attachments end up getting a malicious MSI file.