FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft

The FBI and CISA have jointly issued a security advisory, cautioning about the growing threat posed by the AndroxGh0st malware. Operators of this malware are actively engaged in constructing a botnet with the intent of carrying out Credential Theft and establishing Backdoor Access.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) revealing that Androxgh0st malware operators are trying to create a powerful botnet for victim identification and exploitation in target networks.

It is worth noting that, the AndroxGh0st malware was initially reported in December 2022. Thereupon, cybercriminals have continued presenting malware variants within the same family. Notably, one such instance is the Legion malware, known for its capabilities in credential harvesting and SMS hijacking.

As per the advisory, the malware targets .env files containing sensitive information like cloud credentials for high-profile applications, including Amazon Web Services Inc. Microsoft Office 365, SendGrid, and Twilio using Python-scripted techniques.

Androxgh0st also supports functions to abuse the Simple Mail Transfer Protocol, such as scanning/exploiting credentials. It exploits vulnerabilities in web applications and servers, particularly those using the Laravel framework and PHPUnit, and certain versions of the Apache HTTP Server.

The threat actors have been using critical vulnerabilities, such as CVE-2017-9841, which allows remote PHP code execution via PHPUnit, and CVE-2021-41773, which affects Apache web servers running versions 2.4.49 or 2.4.50.

Androxgh0st malware TTPs involve scripts, scanning, and searching for websites with specific vulnerabilities. Threat actors exploit CVE-2017-9841 to run PHP code on fallible websites via PHPUnit remotely.

Furthermore, websites with exposed /vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier. Threat actors use Androxgh0st to download malicious files and set up fake pages for backdoor access, allowing them to download additional malicious files and access databases.

Androxgh0st malware creates a botnet to scan and identify websites using the Laravel web application framework, determining if the domain’s root-level.env file is exposed. If exposed, they issue a GET request to the /.env URI or a POST request with a POST variable containing data sent to the web server. This method is used for websites in debug mode, where non-production websites are exposed to the internet.

A successful response allows threat actors to look for usernames, passwords, and credentials for services like email and AWS accounts. The malware can access the Laravel application key on a website, enabling attackers to encrypt PHP code and pass it as a value in the cross-site forgery request (XSRF) token cookie, allowing remote code execution and remote file upload via CVE-2018-15133 vulnerability.

Regarding CVE-2021-41773, Androxgh0st operators scan vulnerable web servers running Apache HTTP Server versions 2.4.49 or 2.4.50, identifying uniform resource locators for files outside the root directory through path traversal attacks. They can obtain service credentials, access sensitive data, and conduct malicious operations. They have been observed creating new users and policies and conducting additional scanning activity.

To combat malicious cyber activity, prioritize patching exploited vulnerabilities in internet-facing systems, ensure only necessary servers and services are exposed to the internet, and review platforms/services with credentials listed in .env files for unauthorized access or use.

For insights into the latest security advisory, we reached out to John A. Smith, CEO of Conversant Group. “The CISA advisory provides Indicators of Compromise, which are very helpful. We also advise that an ounce of prevention is worth a pound of cure—because AndroxGh0st is exploiting exposed .env files and unpatched vulnerabilities, it is well-advised to always inspect and monitor cloud environments regularly for any exposures and, have a very aggressive policy for out-of-band patching.”

****RELATED ARTICLES****

1. Qubitstrike Malware Hits Jupyter Notebooks for Cloud Data
2. Chinese APT Posing as Cloud Services to Spy on Cambodia
3. CISA Publishes List of Free Cybersecurity Tools and Services
4. Supply Chain Attack Targeting Telegram, AWS Alibaba Cloud Users
5. Hackers Exploiting Critical Vulnerabilities in Fortinet VPN – FBI-CISA