A Latin America-based financially motivated threat actor, codenamed FLUXROOT, has been identified using Google Cloud serverless projects to orchestrate credential phishing campaigns. This highlights the growing abuse of cloud computing platforms for malicious activities.
Google’s biannual Threat Horizons Report [PDF], shared notes that while serverless architectures are favored for their flexibility, cost-effectiveness, and ease of use, these features also make them attractive to cybercriminals. These attackers leverage serverless services to deliver malware, host phishing pages, and execute malicious scripts tailored for serverless environments.
FLUXROOT has been linked to the distribution of the Grandoreiro banking trojan. Recent campaigns have exploited legitimate cloud services such as Microsoft Azure and Dropbox to distribute this malware. Specifically, FLUXROOT used Google Cloud container URLs to host phishing pages aimed at stealing login credentials for Mercado Pago, a popular online payment platform in LATAM.
Additionally, another adversary, codenamed PINEAPPLE, has exploited Google’s cloud infrastructure to distribute the Astaroth stealer malware (also known as Guildma) targeting Brazilian users. PINEAPPLE compromised Google Cloud instances and created projects to host container URLs on legitimate Google Cloud serverless domains. These URLs redirected targets to malicious sites that deployed Astaroth malware.
PINEAPPLE also attempted to evade email gateway protections by using mail forwarding services that bypass messages with failed Sender Policy Framework (SPF) records, or by injecting unexpected data into the SMTP Return-Path field to trigger DNS request timeouts, causing email authentication checks to fail.
Google has responded by taking down the malicious projects and updating its Safe Browsing lists to mitigate these threats. The use of cloud services by threat actors for activities like illicit cryptocurrency mining and ransomware attacks has surged, driven by the widespread adoption of cloud technologies across various industries. This tactic allows attackers to blend in with normal network traffic, complicating detection efforts.
Google highlighted that threat actors exploit the flexibility and easy deployment of serverless platforms to distribute malware and host phishing sites, continuously adapting their tactics to circumvent detection and mitigation measures.
