Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) to targets across Latin America (LATAM) and Europe.

“The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s),” Cisco Talos researchers disclosed last week.

The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns.

Google Cloud Run is a managed compute platform that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloads without having to manage or scale the infrastructure.

“Adversaries may view Google Cloud Run as an inexpensive, yet effective way to deploy distribution infrastructure on platforms that most organizations likely do not prevent internal systems from accessing,” the researchers said.

A majority of the systems used to send phishing messages originate from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. The emails bear themes related to invoices or financial and tax documents, in some cases purporting to be from local government tax agencies.

Embedded within these messages are links to a website hosted on run[.]app, resulting in the delivery of a ZIP archive containing a malicious MSI file either directly or via 302 redirects to a Google Cloud Storage location, where the installer is stored.

The threat actors have also been observed attempting to evade detection using geofencing tricks by redirecting visitors to these URLs to a legitimate site like Google when accessing them with a U.S. IP address.

Besides leveraging the same infrastructure to deliver both Mekotio and Astaroth, the infection chain associated with the latter acts as a conduit to distribute Ousaban.

Astaroth, Mekotio, and Ousaban are all designed to single out financial institutions, keeping tabs on users’ web browsing activity as well as logging keystrokes and taking screenshots should one of the target bank websites be open.

Ousaban has a history of weaponizing cloud services to its advantage, having previously employed Amazon S3 and Microsoft Azure to download second-stage payloads, and Google Docs to retrieve command-and-control (C2) configuration.

The development comes amid phishing campaigns propagating malware families such as DCRat, Remcos RAT, and DarkVNC that are capable of harvesting sensitive data and taking control of compromised hosts.

It also follows an uptick in threat actors deploying QR codes in phishing and email-based attacks (aka quishing) to trick potential victims into installing malware on their mobile devices.

“In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered,” Talos said.

“QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.”

Phishing campaigns have also set their eyes on the oil and gas sector to deploy an information stealer called Rhadamanthys, which has currently reached version 0.6.0, highlighting a steady stream of patches and updates by its developers.

“The campaign starts with a phishing email using a vehicle incident report to lure victims into interacting with an embedded link that abuses an open redirect on a legitimate domain, primarily Google Maps or Google Images,” Cofense said.

Users who click on the link are then redirected to a website hosting a bogus PDF file, which, in reality, is a clickable image that contacts a GitHub repository and downloads a ZIP archive containing the stealer executable.

“Once a victim attempts to interact with the executable, the malware will unpack and start a connection with a command-and-control (C2) location that collects any stolen credentials, cryptocurrency wallets, or other sensitive information,” the company added.

Other campaigns have abused email marketing tools like Twilio’s SendGrid to obtain client mailing lists and take advantage of stolen credentials to send out convincing-looking phishing emails, per Kaspersky.

“What makes this campaign particularly insidious is that the phishing emails bypass traditional security measures,” the Russian cybersecurity company noted. “Since they are sent through a legitimate service and contain no obvious signs of phishing, they may evade detection by automatic filters.”

These phishing activities are further fueled by the easy availability of phishing kits such as Greatness and Tycoon, which have become a cost-effective and scalable means for aspiring cyber criminals to mount malicious campaigns.

“Tycoon Group [phishing-as-a-service] is sold and marketed on Telegram for as low as $120,” Trustwave SpiderLabs researcher Rodel Mendrez said last week, noting the service first came into being around August 2023.

“Its key selling features include the ability to bypass Microsoft two-factor authentication, achieve ‘link speed at the highest level,’ and leveraging Cloudflare to evade antibot measures, ensuring the persistence of undetected phishing links.”

Jan 15, 2024NewsroomVulnerability / Browser Security

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

“This is achieved through a controlled browser extension, effectively bypassing the browser’s sandbox and the entire browser process,” the company said in a statement shared with The Hacker News.

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser’s security boundaries.

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called “Opera Touch Background,” which is responsible for communicating with its mobile counterpart.

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally_connectable that declares which other web pages and extensions can connect to it.

In the case of Opera, the domains that can talk to the extension should match the patterns “*.flow.opera.com” and “.flow.op-test.net” – both controlled by the browser vendor itself.

“This exposes the messaging API to any page that matches the URL patterns you specify,” Google notes in its documentation. “The URL pattern must contain at least a second-level domain.”

Guardio Labs said it was able to unearth a “long-forgotten” version of the My Flow landing page hosted on the domain “web.flow.opera.com” using the urlscan.io website scanner tool.

“The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the [content security policy] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check,” the company said.

“This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API.”

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim’s computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

“Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries,” the company told The Hacker News.

“This underscores the need for internal design changes at Opera and improvements in Chromium’s infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome’s web store, is recommended but has not yet been implemented by Opera.”

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it’s taking steps to prevent such issues from happening again.

“Our current structure uses an HTML standard, and is the safest option that does not break key functionality,” the company said. “After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future.”

“We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience.”