According to the latest data from Cisco Talos researchers, cybercriminals have stepped up phishing campaigns targeting users in Latin America and Europe. They use Google Cloud Run to distribute banking Trojans such as Astaroth, Mekotio, and Ousaban via Microsoft Malicious Installers (MSI).
Criminals send out emails with topics related to financial and tax documents that purport to be from local tax authorities. These messages contain links to malicious websites hosted on the run[.]app platform that redirect victims to ZIP archives containing malicious MSI files or directly to Google Cloud storage locations where the installers reside. Attackers use geofencing tricks, redirecting users from US IP addresses to legitimate sites like Google to avoid detection.
The Astaroth, Mekotio, and Ousaban Trojans target financial institutions by tracking users’ web browsing activity, logging keystrokes, and taking screenshots. Ousaban, in particular, used cloud services such as Amazon S3, Microsoft Azure, and Google Docs to download payloads and obtain C2 configuration. These attacks are part of a growing trend of using phishing campaigns and QR codes to distribute malware, as well as the misuse of legitimate cloud platforms to distribute malware. In addition, there is an increase in the use of phishing kits such as Greatness and Tycoon, which make it easier for cybercriminals to organize malicious campaigns.
Users are advised to exercise caution when receiving emails from unfamiliar sources, especially those containing links or attachments, and use robust cybersecurity solutions to protect their systems. The rise of cybercriminals using cloud platforms to distribute banking Trojans requires increased attention to cybersecurity from organizations and individual users around the world.