The codename for the financially motivated actor based in Latin America (LATAM) is Flux Root We have seen actors using Google Cloud’s serverless projects to orchestrate credential phishing campaigns, highlighting the abuse of the cloud computing model for malicious purposes.
“Serverless architectures are attractive to developers and enterprises because of their flexibility, cost-effectiveness, and ease of use,” Google said in its semi-annual Threat Horizon Report (PDF) shared with The Hacker News.
“These same capabilities make serverless computing services for all cloud providers attractive to threat actors, who use these services to deliver and communicate with malware, host and lure users to phishing pages, execute malware, and run malicious scripts specifically tailored to run in serverless environments.”
The campaign used Google Cloud container URLs to host credential phishing pages with the goal of harvesting login information related to Mercado Pago, a popular online payment platform in the LATAM region.
According to Google, FLUXROOT is a threat actor known for distributing the Grandoreiro banking Trojan, and in recent campaigns has also been using legitimate cloud services such as Microsoft Azure and Dropbox to distribute malware.
Separately, Google’s cloud infrastructure has also been weaponized by another actor named PINEAPPLE, spreading another piece of stealing malware called Astaroth (aka Guildma) as part of attacks targeting users in Brazil.
“PINEAPPLE used compromised Google Cloud instances and self-created Google Cloud projects to create container URLs in legitimate Google Cloud serverless domains, such as cloudfunctions(.)net and run.app,” Google noted. “The URLs hosted landing pages that redirected targets to malicious infrastructure and dropped Astaroth.”
Additionally, the threat actors are said to have attempted to circumvent email gateway protections by using mail forwarding services that do not drop messages with failed Sender Policy Framework (SPF) records, and by including unexpected data in the SMTP Return-Path field to trigger DNS request timeouts and fail email authentication checks.
The search giant said it had taken steps to mitigate such activity by removing malicious Google Cloud projects and updating its Safe Browsing lists.
From illicit cryptocurrency mining through weak configurations to ransomware, the weaponization of cloud services and infrastructure by threat actors has been driven by the growing adoption of cloud across industries.
Moreover, this approach has the added benefit of allowing an adversary to blend in with normal network activity, making them much more difficult to detect.
“Threat actors are taking advantage of the flexibility and ease of deployment of serverless platforms to distribute malware and host phishing pages,” the company said. “Threat actors abusing cloud services are shifting tactics in response to defenders’ detection and mitigation measures.”
