Ousaban Banking Trojan Used in Phishing Attacks
Security experts are cautioning about a surge in email phishing attacks utilizing the Google Cloud Run service to distribute various banking trojans like Astaroth (also known as Guildma), Mekotio, and Ousaban (aka Javali) to targets in Latin America (LATAM) and Europe.
Researchers from Cisco Talos revealed last week that the infection chains linked with these malware types involve the use of malicious Microsoft Installers (MSIs) acting as droppers or downloaders for the final malware payloads. These high-volume malware distribution campaigns, observed since September 2023, have consistently utilized the same storage bucket within Google Cloud for propagation, suggesting potential connections between the threat actors orchestrating these distribution campaigns.
Google Cloud Run, a managed compute platform allowing users to run various services and workloads, is seen by adversaries as a cost-effective and efficient means to deploy distribution infrastructure on platforms that organizations likely do not restrict internal systems from accessing, according to the researchers.
Most Phishing Spam Comes from Brazil
The majority of systems responsible for sending phishing messages originate from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. The phishing emails typically revolve around themes related to invoices, financial matters, or tax documents, sometimes masquerading as communications from local government tax agencies.
These emails contain links leading to a website hosted on run[.]app, resulting in the delivery of a ZIP archive containing a malicious MSI file either directly or through 302 redirects to a Google Cloud Storage location. The threat actors have also attempted to evade detection by redirecting visitors using geofencing tricks, sending those with U.S. IP addresses to legitimate sites like Google.
In addition to using the same infrastructure for Mekotio and Astaroth, the infection chain associated with Astaroth is utilized to distribute Ousaban. All three trojans are specifically designed to target financial institutions, monitoring users' web activity, logging keystrokes, and capturing screenshots if the target bank's website is open.
Ousaban has a history of exploiting cloud services, having previously used Amazon S3 and Microsoft Azure for downloading second-stage payloads, and Google Docs for retrieving command-and-control (C2) configurations.
This development occurs alongside phishing campaigns spreading malware families such as DCRat, Remcos RAT, and DarkVNC, capable of harvesting sensitive data and taking control of compromised hosts. Additionally, there has been an increase in threat actors deploying QR codes in phishing and email-based attacks (quishing) to deceive potential victims into installing malware on their mobile devices.
