[x] Block these three banking trojans: Astaroth / Guildma, Mekotio and Ousaban.
Description
Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. Some of the highest volume campaigns recently observed were being used to deliver the Astaroth, Mekotio, and Ousaban banking trojans to victims largely located in Latin American countries. We have also observed lower volume campaign victims located throughout Europe and North America, which may indicate less geographically focused targeting by threat actors moving forward. The current variant of Astaroth targets more than 300 institutions across 15 Latin American countries.
Enhancement idea
Astaroth
/Guildma
,Mekotio
andOusaban
.Description
Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. Some of the highest volume campaigns recently observed were being used to deliver the Astaroth, Mekotio, and Ousaban banking trojans to victims largely located in Latin American countries. We have also observed lower volume campaign victims located throughout Europe and North America, which may indicate less geographically focused targeting by threat actors moving forward. The current variant of Astaroth targets more than 300 institutions across 15 Latin American countries.
Links
https://blog.talosintelligence.com/google-cloud-run-abuse/
https://storage.googleapis.com/blogs-images/ciscoblogs/1/2020/05/85f1cf8c-astaroth_domains.txt
https://threatfox.abuse.ch/browse/malware/win.astaroth/
https://threatfox.abuse.ch/browse/malware/win.mekotio/
https://threatfox.abuse.ch/browse/malware/win.ousaban/
IOC
I2P websites
n/a
IPFS websites
n/a
Tor2web websites
n/a
TOR websites
n/a
URL's
n/a
Folders
n/a
Sub-Domains
n/a
Domains
IP's
Emails
n/a
Wallet addresses
n/a
Mining pool addresses
n/a