Multiple hacking collectives in Latin America were observed abusing Google Cloud’s infrastructure in their phishing attacks, the company has confirmed.
In its biannual Threat Horizons Report, Google said at least two threat actors, FLUXROOT and PINEAPPLE, abused Google Cloud as part of their infrastructure.
FLUXROOT was running a phishing campaign to steal login credentials for Mercado Pago, a popular online payments platform for the Latin America region. In its campaign, the threat actor was using Google Cloud container URLs to host the phishing pages, the company said.
PINEAPPLE and Astaroth
“Serverless architectures are attractive to developers and enterprises for their flexibility, cost effectiveness, and ease of use,” Google said in its writeup. “These same features make serverless computing services for all cloud providers attractive to threat actors, who use them to deliver and communicate with their malware, host and direct users to phishing pages, and to run malware and execute malicious scripts specifically tailored to run in a serverless environment.”
Previously, FLUXROOT was seen distributing the Grandoreiro banking trojan.
PINEAPPLE, on the other hand, was using Google Cloud to distribute Astaroth (AKA Guildma), a popular infostealer malware.
“PINEAPPLE used compromised Google Cloud instances and Google Cloud projects they created themselves to create container URLs on legitimate Google Cloud serverless domains such as cloudfunctions[.]net and run.app,” Google explained. “The URLs hosted landing pages redirecting targets to malicious infrastructure that dropped Astaroth.”
In response to these campaigns, the company took down the malicious Google Cloud projects, and updated its Safe Browsing list.
“Threat actors take advantage of the flexibility and ease of deployment of serverless platforms to distribute malware and host phishing pages,” the company concluded. “Threat actors abusing cloud services shift their tactics in response to defenders’ detection and mitigation measures.”
Via The Hacker News