APPLE and FLUXROOT Hacker Groups Misuse Google Cloud for Credential Phishing
A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been seen using Google Cloud serverless projects to coordinate credential phishing activity, showcasing the exploitation of the cloud computing model for malicious intentions.
“Serverless architectures appeal to developers and businesses for their adaptability, cost-efficiency, and user-friendliness,” mentioned Google in its biannual Threat Horizons Report [PDF] provided to The Hacker News.
“These same attributes make serverless computing services of all cloud providers inviting to nefarious actors, who employ them to distribute and engage with their malware, host and lead users to phishing sites, and to run malware and execute malevolent scripts specifically designed to operate in a serverless environment.”
The campaign included the utilization of Google Cloud container URLs to host credential phishing pages with the objective of collecting login details associated with Mercado Pago, an online payments platform well-liked in the LATAM region.
FLUXROOT, according to Google, is the threat actor recognized for dispersing the Grandoreiro banking trojan, with recent operations also capitalizing on legitimate cloud services like Microsoft Azure and Dropbox for malware distribution.
In a separate incident, Google’s cloud infrastructure was also weaponized by another opponent identified as PINEAPPLE to spread another stealing malware referred to as Astaroth (also known as Guildma) as part of assaults aimed at Brazilian users.
“PINEAPPLE utilized compromised Google Cloud instances and Google Cloud projects that they set up themselves to generate container URLs on legitimate Google Cloud serverless domains like cloudfunctions[.]net and run.app,” Google pointed out. “The URLs hosted landing pages redirecting targets to malicious infrastructure that deployed Astaroth.”
Besides, the adversary attempted to circumvent email gateway protections by leveraging mail forwarding services that do not discard messages with failed Sender Policy Framework (SPF) records or incorporating unexpected data in the SMTP Return-Path field to prompt a DNS request timeout and lead to email authentication failures.
The tech giant stated that it took measures to counteract the activities by shutting down the malicious Google Cloud projects and updating its Safe Browsing lists.
The exploitation of cloud services and infrastructure by threat actors – ranging from illicit cryptocurrency mining as an outcome of weak configurations to ransomware – has been promoted by the increased adoption of cloud across various sectors.
Moreover, this approach provides the added advantage of enabling adversaries to merge into regular network operations, thereby complicating the detection process.
“Nefarious actors exploit the flexibility and ease of deployment of serverless platforms to disseminate malware and host phishing sites,” highlighted the organization. “Malicious entities abusing cloud services alter their strategies in response to defenders’ detection and mitigation tactics.”
About Author
