Threat Database Malware FLUXROOT Threat Group

FLUXROOT Threat Group

A financially motivated group based in Latin America (LATAM), known as FLUXROOT, has been detected using Google Cloud's serverless projects to conduct credential phishing campaigns. This situation underscores how cloud computing models can be exploited for threatening activities. Developers and enterprises favor serverless architectures due to their flexibility, cost-effectiveness, and user-friendliness. However, these same advantages also make the serverless computing services appealing to cybercriminals. They leverage these platforms to distribute and manage malware, host phishing sites and run fraudulent scripts specifically designed for serverless environments.

FLUXROOT Targets Users with Banking Trojans

The campaign utilized Google Cloud container URLs to host credential phishing pages, targeting login credentials for Mercado Pago, a widely used online payment platform in the LATAM region. According to Google, FLUXROOT is the threat actor behind this campaign, previously known for spreading the Grandoreiro banking Trojan. Recent activities by FLUXROOT have also involved exploiting legitimate cloud services such as Microsoft Azure and Dropbox to distribute their malware.

Cybercriminals Exploit Cloud Services to Spread Malware

In a separate case, PINEAPPLE, another threat actor, has exploited Google's cloud infrastructure to distribute the Astaroth stealer malware (also known as Guildma) in attacks aimed at Brazilian users.

PINEAPPLE compromised Google Cloud instances and created its own Google Cloud projects to generate container URLs on legitimate Google Cloud serverless domains like cloudfunctions.net and run.app. These URLs hosted landing pages that redirected targets to fraudulent infrastructure for delivering the Astaroth malware.

Additionally, PINEAPPLE attempted to evade email gateway defenses by using mail forwarding services that allow messages with failed Sender Policy Framework (SPF) records to pass through. They also manipulated the SMTP Return-Path field with unexpected data to trigger DNS request timeouts, causing email authentication checks to fail.

Criminals Take Advantage of Legitimate Services for Harmful Purposes

To address these threats, Google has taken steps to mitigate the activities by shutting down unsafe Google Cloud projects and updating Safe Browsing lists.

The increased choice of cloud services across various industries has unfortunately enabled threat actors to exploit these platforms for ill-minded purposes, including illicit cryptocurrency mining due to weak configurations and ransomware attacks.

This exploitation is further facilitated by the fact that cloud services allow adversaries to blend their activities with normal network operations, making detection significantly more difficult.

Threat actors leverage serverless platforms' flexibility and ease of deployment to distribute malware and host phishing pages. As defenders implement detection and mitigation measures, adversaries continuously adapt their tactics to evade these defenses.

Trending

Most Viewed

Loading...