Google Cloud Run abused: Here is a detailed look.

Google Cloud Run

Google Cloud Run abused: Here is a detailed look.

In recent times, hackers have been found to be abusing Google Cloud Run, a fully managed platform that allows you to promptly execute your code on top of Google’s scalable infrastructure. This abuse has led to the distribution of massive volumes of banking trojans.

The Malware Campaign

Large-scale malware distribution campaigns are leveraging Google Cloud Run to transmit banking trojans, including Astaroth (also known as Guildma), Mekotio, and Ousaban, to European and Latin American targets. These campaigns have seen a significant uptick since September 2023.

Basically, in less technical terms, hackers are misusing a tool from Google called Google Cloud Run. Hackers are using it to spread harmful software that can steal your bank details.

Quick Look at the Trojans being used.

The campaigns abusing Google Cloud Run involve three banking trojans: Astaroth/Guildma, Mekotio, and Ousaban.


Astaroth, also known as Guildma, uses various effective anti-analysis/evasion strategies. It has developed a clever method of encoding and encrypting command and control communications (C2) using the descriptions of YouTube channels.

Let’s say there’s a YouTube channel description that reads: “Welcome to our travel vlog! We love to explore new places and share our adventures.”

Astaroth could use a simple substitution cipher, where each letter is replaced by a letter some fixed number of positions down the alphabet. For example, with a shift of 1, ‘A’ would be replaced by ‘B’, ‘B’ would become ‘C’, and so on.

So, the encoded message might look something like this: “Xfmdpnf up pvs usbwfm wpmh! Xf mpwf up fyqmpsft ofx qmbdft boe tibsf pvs bewfouvsft.”

This encoded message is then used for command and control communications, making it harder for security systems to detect malicious activity.

Please note that this is a very simplified example. In reality, Astaroth uses much more complex methods of encoding and encryption. But the basic idea is the same: to hide its communications in plain sight.

Mekotio and Ousaban

Mekotio and Ousaban are also part of this campaign. These trojans are capable of keylogging, capturing screenshots, and phishing for banking credentials using fake banking portals.

Imagine you’re using your computer and you receive an email. This email looks like it’s from your bank, and it asks you to log in to your account to update some information. The email even includes a link to what looks like your bank’s website.

So, you click on the link and it takes you to a website that looks exactly like your bank’s website. You enter your username and password to log in. But here’s the catch: the website is not really your bank’s website. It’s a fake website created by Mekotio or Ousaban.

These trojans have just tricked you into giving them your bank login details. This is called phishing.

But that’s not all. While you’re using your computer, Mekotio or Ousaban can also record what you’re typing and take pictures of your screen. So, even if you didn’t fall for the fake bank website, they could still get your bank details if you typed them somewhere else on your computer.

The Distribution Method

The distribution method involves sending emails using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted. In one case, the email appears to be from Argentina’s local government tax agency, Administración Federal de Ingresos Públicos (AFIP), which has been the focus of recent malspam operations.

The email URLs, leading to Google Cloud Run, use the run [.]app as the top-level domain (TLD). When victims click on these URLs, they are taken to the threat actors’ Cloud Run web services, where they receive the files needed to start the infection process.

In a nutshell, the hackers send emails that look like they’re about invoices or tax documents. Sometimes, they even pretend to be from the local tax agency. The emails contain links that lead to Google Cloud Run. If you click on these links, you’re taken to a website run by the bad guys, where the harmful software starts to download.


The misuse of Google Cloud Run by cybercriminals to distribute banking trojans is a grave concern that underscores the evolving sophistication of cyber threats. This strategy of exploiting trusted platforms not only allows attackers to bypass security measures but also makes detection significantly more challenging.

Banking trojans like Astaroth, Mekotio, and Ousaban, which are part of this campaign, are particularly worrisome due to their capabilities. They can record keystrokes, capture screenshots, and create fake banking portals to trick users into revealing their banking credentials. The stolen information can then be used for fraudulent transactions, leading to financial loss for the victims.

This situation highlights the critical need for robust security measures. It’s essential for individuals and organizations to maintain up-to-date security software to protect against such threats. Additionally, practicing safe online habits, such as being cautious with emails from unknown sources and regularly changing passwords, can provide an additional layer of protection.

Moreover, constant vigilance is crucial in this ever-evolving cyber landscape. Cyber threats are becoming increasingly sophisticated, and new methods of attacks are being developed continually. Staying informed about the latest cyber threats and understanding how they work can help in recognizing potential threats and taking appropriate action.

In conclusion, the abuse of Google Cloud Run to distribute banking trojans is a stark reminder of the persistent and evolving nature of cyber threats. It underscores the importance of robust security measures, constant vigilance, and a comprehensive understanding of the cyber threat landscape to protect against such threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment