A Latin American financially motivated threat group, dubbed FLUXROOT, has been observed exploiting Google Cloud’s serverless infrastructure to conduct credential phishing campaigns. This highlights how malicious actors adapt to abuse cloud computing models for nefarious purposes.
Google’s recent Threat Horizons Report emphasizes that while serverless architectures offer numerous benefits to legitimate users, these advantages make them attractive targets for cybercriminals. Threat actors leverage these services to deploy malware, host phishing pages, and execute malicious scripts tailored for serverless environments.
FLUXROOT, the Latin American cybercriminal group, has been observed conducting phishing operations aimed at users of Mercado Pago, a widely used digital payment service in the region. Their strategy involved deploying fake login pages on Google Cloud container URLs to steal user credentials. This isn’t FLUXROOT’s first foray into malicious activities; they have a history of spreading the Grandoreiro banking malware. The group has demonstrated versatility in their choice of cloud platforms, having previously exploited services such as Microsoft Azure and Dropbox to facilitate their illicit operations.
In a separate but related development, another threat actor called PINEAPPLE has been using Google’s cloud infrastructure to spread the Astaroth (also known as Guildma) stealer malware that primarily targets Brazilian users. PINEAPPLE employed both compromised and self-created Google Cloud projects to host malicious content on legitimate Google Cloud serverless domains.
To evade email security measures, PINEAPPLE employed tactics such as using mail forwarding services that don’t filter messages with failed Sender Policy Framework (SPF) records and manipulating the SMTP Return-Path field to cause authentication check failures.
Google has responded to these threats by shutting down the malicious cloud projects and updating its Safe Browsing lists. However, the increasing adoption of cloud services across industries has led to a corresponding rise in their exploitation by cybercriminals. This trend is partly due to the difficulty distinguishing malicious activities from normal network operations in cloud environments.
The report concludes by noting that threat actors continually adapt their tactics in response to defenders’ detection and mitigation strategies, underscoring the ongoing challenge of securing cloud infrastructure against evolving threats.
