Ousaban

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Ousaban is a malicious software, or malware, specifically a banking trojan developed primarily in Delphi. This harmful program is designed to exploit and damage computer systems, often infiltrating them via suspicious downloads, emails, or websites without the user's knowledge. Once inside, Ousaban can perform keylogging, capture screenshots, and phish for banking credentials using fake (cloned) banking portals. The malware is capable of causing significant disruption, stealing personal information, and even holding data hostage for ransom. In February 2024, cybersecurity researchers issued warnings about an increase in email phishing campaigns that weaponized Google Cloud Run service to deliver various banking trojans, including Astaroth (also known as Guildma), Mekotio, and Ousaban (also referred to as Javali). These campaigns targeted victims across Latin America and Europe, exploiting the Google Cloud Run service to distribute massive volumes of these banking trojans. Ousaban was one of three banking trojans used in these campaigns that misused Google Cloud Run, alongside Astaroth/Guildma and Mekotio. Cisco Talos, a leading security research organization, observed that Ousaban was delivered at a later stage of the Astaroth infection chain. This indicated a potential collaboration between the operators of the two malware families or a single threat actor managing both. The misuse of Google Cloud Run to spread these trojans represents a significant escalation in cyber threats, highlighting the need for enhanced security measures and vigilance.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Javali
1
Javali is a multistage malware that has been active since November 2017, primarily targeting customers of financial institutions in Portuguese- and Spanish-speaking countries, with a particular focus on Brazil and Mexico. Part of a group of banking trojans including Guildma, Melcoz, and Grandoreiro,
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Google
Cisco
Trojan
Talos
Banking
Europe
Phishing
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AstarothUnspecified
2
Astaroth, a malicious software (malware), has been identified as a significant threat due to its highly developed evasive skills and information stealing capabilities. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it
MekotioUnspecified
1
Mekotio is a sophisticated and persistent banking trojan, primarily targeting financial systems in Latin American countries since at least 2015. This malicious software is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Typically
GrandoreiroUnspecified
1
Grandoreiro is a form of malware, specifically a banking Trojan, originating from Brazil. It is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites without the user's knowledge. Once inside, Grandoreiro can steal personal informa
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ousaban Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
Google's Cloud Run Service Spreads Several Bank Trojans
CERT-EU
5 months ago
Google Cloud Run Abused in Massive Banking Trojan Operation
CERT-EU
5 months ago
Banking Trojans Target Latin America and Europe Through Google Cloud Run
CERT-EU
5 months ago
Cybercriminals Exploit Google Cloud Run in Extensive Banking Trojan Scheme
CERT-EU
5 months ago
Hackers abuse Google Cloud Run in massive banking trojan campaign
SecurityIntelligence.com
a year ago
BlotchyQuasar: X-Force Hive0129 targeting financial intuitions in LATAM with a custom banking trojan