Androxgh0st Malware Botnet Targets AWS and Microsoft Credentials: FBI and CISA Alert

January 16, 2024

The FBI and CISA issued a warning regarding threat actors utilizing the Androxgh0st malware to construct a botnet focusing on cloud credential theft, and using the stolen credentials to deliver further malicious payloads. This botnet was initially discovered by Lacework Labs in 2022. It targets websites and servers that use the PHPUnit unit testing framework, PHP web framework, and Apache web server, all of which have remote code execution (RCE) vulnerabilities. The RCE flaws that these attacks exploit include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel).

The two agencies warned, "Androxgh0st is a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework)." They further noted that the Androxgh0st malware also supports numerous functions that can abuse the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and deploying web shells.

The threat actors can use stolen Twilio and SendGrid credentials to conduct spam campaigns while pretending to be the compromised companies. According to Lacework, "Depending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials. The most commonly observed of these is to check the email sending limit for the account to assess if it can be leveraged for spamming." The attackers have been seen creating counterfeit pages on compromised websites, providing them with a backdoor to access databases containing sensitive information and to deploy more malicious tools crucial for their operations.

After successfully identifying and compromising AWS credentials on a vulnerable website, they have also attempted to create new users and user policies. In addition, the Andoxgh0st operators use the stolen credentials to establish new AWS instances for scanning more vulnerable targets on the Internet. The FBI and CISA recommend network defenders implement certain mitigation measures to limit the impact of Androxgh0st malware attacks and reduce the risk of compromise. They also requested information on Androxgh0st malware from organizations that detect suspicious or criminal activity related to this threat.

CISA included the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability in its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. The US cybersecurity agency also directed federal agencies to protect their systems against these attacks by February 6. The CVE-2021-41773 Apache HTTP Server path traversal and CVE-2017-9841 PHPUnit command injection vulnerabilities were added to the catalog in November 2021 and February 2022, respectively.

Related News

• Kinsing Threat Actors Exploit Looney Tunables Flaw in Cloud Environments
• Hundreds of Popular Container Images Contain Hidden Vulnerabilities

Latest News

• Critical RCE Vulnerability Found in Older Atlassian Confluence Versions
• Ivanti's Connect Secure VPN and Policy Secure NAC Appliances Face Mass Exploitation
• Over 178,000 SonicWall Firewalls Exposed to Potential Hacks Due to Unpatched Vulnerabilities
• Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability
• Over 7,100 WordPress Sites Compromised by Balada Injector Malware Exploiting Plugin Vulnerability