Google Cloud Service Abused: Telax Online Banking Trojan Horse Spreads Through
American VPS On December 11, it was reported that, according to foreign media, an online crime team used Google Cloud Platform to host and disseminate an online banking trojan, which was mainly aimed at Portuguese users in Brazil. Before being detected by the Zscaler security team, its activities had existed for a period of time and successfully affected more than 100000 users. Zscaler analysts said that this cyber crime was based on classic social engineering tricks, aimed at deceiving users to click on malicious bit. ly links.
In order to fool users to access these links, the attacker conducted fraudulent activities in the name of providing free discounts, vouchers, and even free versions of software such as Avast and WhatsApp.
If you click the link in curiosity, it will usually be downloaded to a hosted on Google Cloud COM or EXE files. If you run it manually, it will install a payload download to your computer.
This is a security term, mainly referring to a computer virus that will download and install more malware or viruses in the future. Eventually, it will install the Telax online banking trojan on the infected computer.
Zacaler researchers analyzed the v4.7 version of the trojan, and found that it only targeted online banking customers in Brazil.
The composition of the trojan is very complex. It has a modular architecture, uses command and control servers to leak stolen data, can run on 32/64 bit systems, checks the existence of reverse engineering environments, and tools to capture and bypass two-step authentication mechanisms.
Zscaler obtained some statistical data through the bit.ly short URL, and found that 99% of user visits were from Brazil. This shows that the trojan plan of the organization is very perfect and effective.
The trojan team was quite active from October 19 to October 30, but Google quickly cleaned up the malicious files hosted on its cloud service.
As for the source of traffic, 99% comes from Facebook, but there are also a few thousand links from independent domain names, many of which are named after the name of Kleyb Maxbell of Emas (a Brazilian city).
