Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.

Cisco Talos researchers have reported an alarming rise in banking malware campaigns exploiting Google Cloud Run, with evidence of spread from Latin America to Europe and North America. The attacks, which began in September 2023, involve phishing emails with themes like invoices or tax documents, sometimes impersonating local tax agencies. These emails contain links to malicious Cloud Run web services that deploy banking Trojans such as Astaroth, Mekiotio, and Ousaban. Attackers use evasion techniques like geoplugin to avoid detection. The Astaroth variant has targeted over 300 institutions in 15 Latin American countries, primarily from Brazil. No specific CVEs are mentioned.

IOCs: https://github.com/Cisco-Talos/IOCs/blob/main/2024/02/google-cloud-run-abuse.txt