Google Cloud Run is being targeted in a major new malware campaign — and the threats are on the rise

(Image credit: Iaremenko Sergii / Shutterstock)

Hackers are increasingly turning to Google Cloud Run to deploy their distribution infrastructure to run multiple dangerous malware and scam campaigns that are able successfully bypass many security solutions.

Google Cloud Run is the search engine giant’s service allowing developers to build and deploy different websites and web services on a fully managed platform. 

It offers $300 in free credits to new customers, and allows for two million free web requests per month - more than enough for most threat actors. What’s more, as Google is considered a trusted service provider, traffic coming from its tools will usually be allowed past different gatekeepers.

Impersonating the taxman

However, security experts from Cisco Talos has revealed that since September 2023, they have observed a notable increase in malicious emails using Google Cloud Run to distribute notorious banking trojans including Astaroth, Mekotio, and Ousaban.

The majority of the victims are located in Latin American countries, with Brazil being the country from which most of the emails were being sent - with a few lower-volume campaigns targeting victims in Europe, and North America.

Talos further explained that a single Google Cloud Storage Bucket was used to deliver multiple malware families simultaneously, suggesting that multiple threat actors could actually be collaborating on a single Google Cloud Run instance. 

In the attack chain, the threat actors will send out malicious emails, disguised as financial or tax-related documents. Sometimes, they’ll impersonate local government tax agencies, too. Targets who fall for the ruse and download the attachments end up getting a malicious MSI file. 

Of the three banking trojans detailed in the report, Astaroth seems to be the most dangerous one, as it currently targets more than 300 institutions across 15 Latin American countries. It utilizes Ngrok for C2 communication, employs persistence, logs keystrokes and grabs screenshots when specific banking apps are open.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.