Google Cloud Run Is ‘Being Abused’ By Cyberattacks Via Microsoft Installers: Cisco Report

Cisco Talos researchers are seeing a significant spike in cyberattacks leveraging the Google Cloud Run service, in many instances, via malicious use of Microsoft Installers.

There has been a massive spike in cyberattacks using the Google Cloud Run service to distribute large volumes of malware and scam campaigns, which is now spreading outside its Latin America roots.

“Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe,” said Cisco Talos researchers in a new report.

Furthermore, in many instances, the malware was dropped with a malicious Microsoft Installer directly from Google Cloud’s Run Web service, according a new threat intelligence research report by Cisco Talos.

“The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload,” said Cisco Talos.

Google Cloud Run is a service that enables customers to build and deploy web services located in Google Cloud’s infrastructure. It allows users to deploy frontend and backend services, as well as handle workloads without the effort of managing infrastructure or scaling.

In a statement, Google Cloud said it has “removed the offending links and are looking into strengthening our mitigation efforts to help prevent this type of nefarious activity.”

Why Google Cloud Run And Where Did It Start?

Cisco Talos said cyber criminals “may view Google Cloud Run as an inexpensive, yet effective way to deploy distribution infrastructure on platforms that most organization likely do not prevent internal systems from accessing.”

Cisco Talos researchers first overserved a large uptick in the misuse of Google Cloud Run service for malware distribution in September 2023.

The first attacks were from Brazilian threat actors who were launching campaigns using Microsoft Installers (MSI) files to deploy malware payloads.

Cisco Talos noted that initial campaign focused mostly on Latin America, mostly written in Spanish. For example, an Astaroth variant targeted over 300 institutions across over a dozen Latin American countries.

However, it has now started to sweep into North America and Europe, according to Cisco’s report.

Google Cloud Run Abuse

Cyberattacks on Google Cloud Run typically begin with a phishing email, which contains malicious links that leads to threat actors gaining control.

The emails are being sent using themes related to invoices or financial documents, sometimes pose as being sent from the local government tax agency.

“When victims access these hyperlinks, they are redirected to the Cloud Run web services deployed by the threat actors and delivered the components necessary to initiate the infection process,” said Cisco Talos.

Lastly, the malware establishes persistence on the system to survive through reboots by adding LNK files in the Startup menu.

Cisco Talos said it has contacted Google to notify them of the recent threat activity. In its report, Cisco listed numerous ways customers can detect and block the threat using Cisco products such as Cisco Secure Endpoint, Cisco Secure Email, Cisco Secure Web Appliance, Cisco Secure Malware Analytics and Cisco Secure Firewall, to name a few.