Headline
FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft
By Deeba Ahmed The AndroxGh0st malware was initially reported in December 2022. This is a post from HackRead.com Read the original post: FBI: Androxgh0st Malware Building Mega-Botnet for Credential Theft
The FBI and CISA have jointly issued a security advisory, cautioning about the growing threat posed by the AndroxGh0st malware. Operators of this malware are actively engaged in constructing a botnet with the intent of carrying out Credential Theft and establishing Backdoor Access.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) revealing that Androxgh0st malware operators are trying to create a powerful botnet for victim identification and exploitation in target networks.
It is worth noting that, the AndroxGh0st malware was initially reported in December 2022. Thereupon, cybercriminals have continued presenting malware variants within the same family. Notably, one such instance is the Legion malware, known for its capabilities in credential harvesting and SMS hijacking.
As per the advisory, the malware targets .env files containing sensitive information like cloud credentials for high-profile applications, including Amazon Web Services Inc. Microsoft Office 365, SendGrid, and Twilio using Python-scripted techniques.
Androxgh0st also supports functions to abuse the Simple Mail Transfer Protocol, such as scanning/exploiting credentials. It exploits vulnerabilities in web applications and servers, particularly those using the Laravel framework and PHPUnit, and certain versions of the Apache HTTP Server.
The threat actors have been using critical vulnerabilities, such as CVE-2017-9841, which allows remote PHP code execution via PHPUnit, and CVE-2021-41773, which affects Apache web servers running versions 2.4.49 or 2.4.50.
Androxgh0st malware TTPs involve scripts, scanning, and searching for websites with specific vulnerabilities. Threat actors exploit CVE-2017-9841 to run PHP code on fallible websites via PHPUnit remotely.
Furthermore, websites with exposed /vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier. Threat actors use Androxgh0st to download malicious files and set up fake pages for backdoor access, allowing them to download additional malicious files and access databases.
Androxgh0st malware creates a botnet to scan and identify websites using the Laravel web application framework, determining if the domain’s root-level.env file is exposed. If exposed, they issue a GET request to the /.env URI or a POST request with a POST variable containing data sent to the web server. This method is used for websites in debug mode, where non-production websites are exposed to the internet.
A successful response allows threat actors to look for usernames, passwords, and credentials for services like email and AWS accounts. The malware can access the Laravel application key on a website, enabling attackers to encrypt PHP code and pass it as a value in the cross-site forgery request (XSRF) token cookie, allowing remote code execution and remote file upload via CVE-2018-15133 vulnerability.
Regarding CVE-2021-41773, Androxgh0st operators scan vulnerable web servers running Apache HTTP Server versions 2.4.49 or 2.4.50, identifying uniform resource locators for files outside the root directory through path traversal attacks. They can obtain service credentials, access sensitive data, and conduct malicious operations. They have been observed creating new users and policies and conducting additional scanning activity.
To combat malicious cyber activity, prioritize patching exploited vulnerabilities in internet-facing systems, ensure only necessary servers and services are exposed to the internet, and review platforms/services with credentials listed in .env files for unauthorized access or use.
For insights into the latest security advisory, we reached out to John A. Smith, CEO of Conversant Group. “The CISA advisory provides Indicators of Compromise, which are very helpful. We also advise that an ounce of prevention is worth a pound of cure—because AndroxGh0st is exploiting exposed .env files and unpatched vulnerabilities, it is well-advised to always inspect and monitor cloud environments regularly for any exposures and, have a very aggressive policy for out-of-band patching.”
****RELATED ARTICLES****
- Qubitstrike Malware Hits Jupyter Notebooks for Cloud Data
- Chinese APT Posing as Cloud Services to Spy on Cambodia
- CISA Publishes List of Free Cybersecurity Tools and Services
- Supply Chain Attack Targeting Telegram, AWS Alibaba Cloud Users
- Hackers Exploiting Critical Vulnerabilities in Fortinet VPN – FBI-CISA
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that threat actors deploying the AndroxGh0st malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware, AndroxGh0st was first documented by Lacework in December 2022, with the malware
The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a "new experimental campaign" designed to breach cloud environments. "Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP)," cloud
Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).