Zscaler has identified a new Spy Banking Trojan which is using Google Cloud Servers, and targeting Portuguese speakers in Brazil.
The cyber security firm says that Google Cloud Servers are used to host the initial Spy Banker Downloader Trojan, which then installs the Spy Banker Trojan Telax.
The attackers are luring users to download and install the malicious payload via social engineering techniques, offering coupon vouchers and software like popular messaging app WhatsApp, and antivirus software tool Avast.
Social media is being used to spread a bit.ly shorted URL that points to the server hosting the malicious payload, says the firm: "The attack starts with a shortened URL posted on a social networking site or via drive by download from malicious sites posing to offer premium software or coupons."
That shortened link sends users to a PHP file hosted on a Google Cloud Server that redirects to the initial Spy Banker Downloader Trojan payload.
An executable file named receitanet.com is pretending to be Brazil’s federal revenue online tax returns service, and other themes offering fake premium software applications and discount vouchers also exist via differently named files.
Zscaler says "that Google has already cleaned up the cloud servers being currently redirected by these two active sites and hence the infection cycle will fail with a 404 Not Found message."