FLUXROOT: Phishing Hackers Exploit Serverless Google Cloud

FLUXROOT
Credential harvesting page hosted on Google Cloud serverless project

A financially motivated hacker group, codenamed FLUXROOT, has been identified in Latin America, utilizing serverless Google Cloud projects to orchestrate phishing attacks. These assaults aim to steal credentials, highlighting the misuse of cloud computing models for malicious purposes.

According to Google, serverless architectures are attractive to developers and businesses due to their flexibility, cost-effectiveness, and ease of use. These same characteristics make them appealing to malicious actors, who exploit these services to deliver and interact with their malware, host and direct users to phishing pages, and execute malicious scripts specifically adapted for the serverless environment.

As part of the campaign, Google Cloud container URLs were used to host phishing pages targeting the collection of user credentials from the popular Latin American online payment platform, Mercado Pago.

FLUXROOT is known for spreading the banking trojan Grandoreiro and has previously used Microsoft Azure and Dropbox cloud services to distribute its malware.

In addition to FLUXROOT, Google Cloud infrastructure was also exploited by another hacker group, PINEAPPLE, to disseminate the Astaroth malware. These attacks were directed at Brazilian users.

PINEAPPLE created container URLs on legitimate Google Cloud domains (cloudfunctions[.]net and run.app) to redirect victims to malicious resources, where Astaroth infection occurred.

The perpetrators also attempted to bypass mail gateway protections by using mail forwarding services that do not reject messages with failed Sender Policy Framework (SPF) records or by adding unexpected data in the SMTP Return-Path field to trigger DNS query timeouts and cause email authentication failures.

Google has taken measures to reduce hacker activity by removing malicious Google Cloud projects and updating its Safe Browsing lists. The abuse of cloud services and infrastructure by hackers has become a consequence of the widespread adoption of cloud technologies across various sectors.

Related Posts: