nobeastsofierce - Fotolia

Spy Banker Trojan takes advantage of Google cloud servers

Security researchers at Zscaler discovered a new Spy Banker Trojan campaign that's leveraging Google's public cloud services as a hosting platform.

Security researchers at Zscaler recently uncovered a new Spy Banker Trojan Telax malware campaign that's leveraging Google cloud servers as a hosting platform.

In a report published last week, the San Jose, Calif. security vendor's ThreatLabZ research division showed how Spy Banker Trojan's authors used Google's cloud to host the initial downloader for the malware. The report also states that the malware campaign, which is targeting Portuguese-speaking users in Brazil, is using social engineering attacks on Facebook, Twitter and other social networking sites to entice unsuspecting users to click on the malicious links for the Spy Banker Trojan downloader. Once the downloader is installed, the Spy Banker Trojan Telax malware steals the online banking credentials of infected users.

The URLs, which are shortened using the service, are hosted on a legitimate Google cloud server instead of a suspicious hosting service that may be flagged by security vendors. What's more, the Spy Banker Trojan Telax, which was first discovered in 2009, can detect antivirus software on users' systems and send that information back to the command and control server, and it can also present fake two-factor authentication panels to presumably fool users into entering their secondary authentication codes.

Zscaler ThreatLabZ researchers noted that four of the five domains hosting the malware campaign have already taken down their registrar, GoDaddy. The report stated that the remaining domain led researchers to a second, similar domain that was also actively redirecting users to the malicious Spy Banker Trojan Telax payload hosted on a Google cloud server.

The ThreatLabZ researchers noted that Google has already cleaned up the cloud servers that hosted the two active domains, preventing the infection cycle. But the researchers also stated that the actors behind Spy Banker Trojan aren't giving up and are continuing to target Google's cloud services as a platform for the financial malware campaign.

"The malware authors are actively pushing out new versions of [Spy Banker Trojan] Telax (latest version 4.7) binaries and are abusing Google Cloud Servers to host the payload for infection," the report reads. "There is no vulnerability exploit being used in this campaign and the attackers are solely relying on social engineering to infect the end users."

Google's cloud services have been abused by attackers before; this summer cloud security firm Elastica discovered a phishing campaign hosted on Google Drive, which had been used by similar malware campaigns in previous years.

The Spy Banker Trojan Telax campaign also marks the second time in the last month that security researchers discovered a malware campaign that was abusing public cloud services. Researchers at security vendor FireEye Inc. earlier this month reported on a sophisticated spear phishing campaign that used cloud storage service Dropbox as its command and control infrastructure.

Next Steps

Find out how online banking malware is evolving.

Read more on the return of banking Trojan Vawtrak.

Discover how the Indian government leaked shadow data through Google Drive.

Dig Deeper on Public Cloud Computing Security