Financially motivated actor codenamed Latin America (LATAM). FLUX ROOT saw the use of Google Cloud serverless projects to orchestrate credential phishing, highlighting the misuse of the cloud computing model for malicious purposes.
“Serverless architectures are attractive to developers and enterprises because of their flexibility, cost-effectiveness and ease of use,” Google said in its biennial release. Threat Horizons Report (PDF) shared with The Hacker News.
“These same features make serverless computing services for all cloud providers attractive to threat actors who use them to deliver and communicate their malware, host and direct users to phishing pages, launch malware and execute malicious scripts, specially designed to work in a serverless environment.”
The campaign involved using Google Cloud container URLs to host phishing credential pages to collect login information associated with Mercado Pago, an online payment platform popular in the LATAM region.
FLUXROOT, according to Google, is a threat known for spreading the Grandoreiro banking trojan, with recent companies also taking advantage of legitimate cloud services such as Microsoft Azure and Dropbox to spread malware.
Separately, Google’s cloud infrastructure was also weaponized by another adversary called PINEAPPLE to distribute another malware known as Astaroth (aka Guildma) in attacks on Brazilian users.
“PINEAPPLE used compromised Google Cloud instances and self-created Google Cloud projects to create container URLs in legitimate Google Cloud serverless domains such as cloudfunctions(.)net and run.app,” Google said. “The URLs were hosted by landing pages that redirected targets to the malicious infrastructure that released Astaroth.”
Additionally, an attacker reportedly attempted to bypass email gateway protections by using mail forwarding services that do not reject messages with a failed sender policy structure (SPF) entries or inclusion of unexpected data in SMTP return path field to cause the DNS query to time out and cause the email authentication to fail.
The search giant said it took steps to mitigate the actions by removing malicious Google Cloud projects and updating it Safe Browsing Lists.
Weaponization of cloud services and infrastructure by threat actors – ranging from illegal mining of cryptocurrencies and consequence with weak configurations to ransomware – was is fed by the increased adoption of the cloud in various industries.
Additionally, this approach has the added benefit of allowing opponents blend in with normal network activitywhich makes detection much more difficult.
“Threat actors are taking advantage of the flexibility and ease of deployment of serverless platforms to distribute malware and host phishing pages,” the company said. “Threat actors abusing cloud services are changing their tactics in response to the detection and mitigation measures defenders are taking.”
