Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More

We Keep you Connected

Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More

Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More
Your email has been sent
The Federal Bureau of Investigation and Cybersecurity & Infrastructure Security Agency warned in a joint advisory about a threat actor deploying a botnet that makes use of the Androxgh0st malware. This malware is capable of collecting cloud credentials, such as those from AWS or Microsoft Azure and more, abusing the Simple Mail Transfer Protocol, and scanning for Amazon Simple Email Service parameters.
The Androxgh0st malware was exposed in December 2022 by Lacework, a cloud security company. The malware is written in Python and is primarily used to steal Laravel.env files, which contain secrets such as credentials for high-profile applications. For instance, organizations can integrate applications and platforms such as AWS, Microsoft Office 365, SendGrid or Twilio to the Laravel framework, with all of the applications’ secrets being stored in the .env file.
The botnet hunts for websites using the Laravel web application framework before determining if the domain’s root level .env file is exposed and contains data for accessing additional services. The data in the .env file might be usernames, passwords, tokens or other credentials.
The cybersecurity company Fortinet exposed telemetry on Androxgh0st, which shows more than 40,000 devices infected by the botnet (Figure A).
Figure A
The FBI/CISA advisory states: “Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.”
In addition, Androxgh0st can access the Laravel application key; if that key is exposed and accessible, the attackers will try to use it to encrypt PHP code that is passed to the website as a value for the XSRF-TOKEN variable. This is an attempt to exploit the CVE-2018-15133 vulnerability in some versions of the Laravel web application framework. A successful attempt allows the attacker to remotely upload files to the website. CISA added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog based on this evidence of active exploitation.
The threat actor deploying Androxgh0st has also been observed exploiting CVE-2017-9841, a vulnerability in the PHP Testing Framework PHPUnit that allows an attacker to execute remote code on the website.
CVE-2021-41773 is also exploited by the threat actor. This vulnerability in Apache HTTP Server allows an attacker to execute remote code on the website.
Lacework wrote in late 2022 that “over the past year, nearly a third of compromised key incidents observed by Lacework are believed to be for the purposes of spamming or malicious email campaigns,” with the majority of the activity being generated by Androxgh0st.
The malware has multiple features to enable SMTP abuse, including scanning for Amazon’s Simple Email Service sending quotas, probably for future spamming usage.
The joint advisory from CISA and the FBI recommends taking the following actions:
In addition, it is advised to check for any newly created user for any of the affected services, because Androxgh0st has been observed creating new AWS instances used for additional scanning activities.
Security solutions must be deployed on all endpoints and servers from the organization to detect any suspicious activity. When possible, your IT department should deploy multifactor authentication on all services where possible to avoid being compromised by an attacker in possession of valid credentials.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Androxgh0st Malware Botnet Steals AWS, Microsoft Credentials and More
Your email has been sent
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE