Lucene search

K
thnThe Hacker NewsTHN:3C4733CFC42DFD41ADDCA261E09C98E9
HistoryMar 21, 2024 - 12:48 p.m.

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

2024-03-2112:48:00
The Hacker News
thehackernews.com
26
androxgh0st malware
laravel applications
sensitive data theft
aws credentials
twilio
smtp cracker
apache http server
phpunit
vulnerability scanning
botnet
database exfiltration
cve-2021-41773
cve-2017-9841
cve-2018-15133
u.s. cybersecurity
intelligence agencies
juniper threat labs
cloud-based applications
amazon web services
sendgrid
python malware
security flaws
web shell deployment
south korea
cryptocurrency miner
z0miner
fast reverse proxy
aws instances
ec2 instances
decentralized content distribution

8 High

AI Score

Confidence

Low

0.975 High

EPSS

Percentile

100.0%

AndroxGh0st Malware

Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st that’s used to target Laravel applications and steal sensitive data.

“It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio,” Juniper Threat Labs researcher Kashinath T Pattan said.

“Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment, and vulnerability scanning.”

AndroxGh0st has been detected in the wild since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio.

Attack chains involving the Python malware are known to exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence.

Cybersecurity

Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for “victim identification and exploitation in target networks.”

“Androxgh0st first gains entry through a weakness in Apache, identified as CVE-2021-41773, allowing it to access vulnerable systems,” Pattan explained.

“Following this, it exploits additional vulnerabilities, specifically CVE-2017-9841 and CVE-2018-15133, to execute code and establish persistent control, essentially taking over the targeted systems.”

Androxgh0st is designed to exfiltrate sensitive data from various sources, including .env files, databases, and cloud credentials. This allows threat actors to deliver additional payloads to compromised systems.

Juniper Threat Labs said it has observed an uptick in activity related to the exploitation of CVE-2017-9841, making it essential that users move quickly to update their instances to the latest version.

AndroxGh0st Malware

A majority of the attack attempts targeting its honeypot infrastructure originated from the U.S., U.K., China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia, and India, it added.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable WebLogic servers located in South Korea are being targeted by adversaries and used them as download servers to distribute a cryptocurrency miner called z0Miner and other tools like fast reverse proxy (FRP).

It also follows the discovery of a malicious campaign that infiltrates AWS instances to create over 6,000 EC2 instances within minutes and deploy a binary associated with a decentralized content delivery network (CDN) known as Meson Network.

The Singapore-based company, which aims to create the “world’s largest bandwidth marketplace,” works by allowing users to exchange their idle bandwidth and storage resources with Meson for tokens (i.e., rewards).

Cybersecurity

“This means miners will receive Meson tokens as a reward for providing servers to the Meson Network platform, and the reward will be calculated based on the amount of bandwidth and storage brought into the network,” Sysdig said in a technical report published this month.

“It isn’t all about mining cryptocurrency anymore. Services like Meson network want to leverage hard drive space and network bandwidth instead of CPU. While Meson may be a legitimate service, this shows that attackers are always on the lookout for new ways to make money.”

With cloud environments increasingly becoming a lucrative target for threat actors, it is critical to keep software up to date and monitor for suspicious activity.

Threat intelligence firm Permiso has also released a tool called CloudGrappler, that’s built on top of the foundations of cloudgrep and scans AWS and Azure for flagging malicious events related to well-known threat actors.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.