The FBI has issued an alert over a Python-scripted malware which is being used to steal passwords, keys, and other credentials for services such as AWS, Microsoft Office 365, SendGrid, and Twilio.
The US law enforcement agency, along with the Cybersecurity and Infrastructure Security Agency (CISA), has published a warning about hackers using the Androxgh0st malware, advising at-risk organizations to remain highly vigilant.
Androxgh0st is Python-scripted malware being used to target Laravel .env files that hold credentials for the aforementioned services and applications. Laravel is an open source PHP web framework.
The malware has been around for some time, the advisory noted. It was first observed by security researchers at Laceworks in December 2022, who said .env files are often targeted to gain access to critical configuration data.
At the time, Laceworks said that nearly one-third of compromised key incidents they had seen were connected to spamming or malicious email campaigns, with the majority of the activity linked to Androxgh0st.
In March 2023, security researchers at FortiGuard Labs said they were seeing a spike of “in the wild attempts by the Androxgh0st malware” against more than 40,000 devices a day - a figure which seems to have remained constant since.
The agencies said ongoing investigations had revealed that Androxgh0st malware was being used to build a botnet that can be used in turn to identify and compromise more vulnerable networks.
“Androxgh0st malware establishes a botnet for victim identification and exploitation in vulnerable networks, and targets files that contain confidential information, such as credentials, for various high profile applications,” the agencies said.
If threat actors obtain credentials for any services they use, these can be harnessed to access sensitive data or to use these services to conduct yet more attacks. For example, when the hackers have managed to steal AWS credentials from a website, they have been observed trying to create new users and user policies.
They’ve also been spotted creating new AWS instances to conduct additional scanning activity.
What does Androxgh0st malware do?
Alarm raised over patched Phemedrone Stealer malware that's being used to target Windows PCsGitHub scrambles to rotate keys after credentials in production containers were potentially exposedAlmost 180,000 SonicWall firewall devices are vulnerable to DoS and possible RCE attacks
Androxgh0st malware attacks involve the use of scripts, conducting scanning and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run PHP code on vulnerable websites via PHPUnit.
The attackers probably use Androxgh0st to download malicious files to the system hosting the website. They are also able to set up a fake to provide backdoor access to the website - this allows them to download additional malicious files for their operations, and access databases.
Androxgh0st malware also builds a botnet to scan for websites using the Laravel web application framework. After identifying websites using Laravel, the hackers then try to find out if the domain’s root-level .env file is exposed and contains credentials for accessing additional services.
These .env files commonly store credentials and tokens, and the attackers are apparently looking for usernames, passwords, or other credentials for services such as email - via SMTP - and AWS accounts.
Androxgh0st attackers have also been observed scanning vulnerable web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 in an attempt to exploit CVE-2021-41773.
Threat actors can identify URLs for files outside the root directory and if these files are not protected by the “request all denied” configuration and CGI scripts are enabled, this may allow for remote code execution.
How do you defend against Androxgh0st?
The FBI and CISA recommend a number of steps to keep your networks safe from attackers using Androxgh0st malware.
These include:
- Ensure that Apache servers are not running versions 2.4.49 or 2.4.50 - organizations should prioritize patching known exploited vulnerabilities in internet-facing systems.
- Double check that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
- Make sure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them.
- Review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
- Scan the server’s file system for unrecognized PHP files, especially in the root directory.
- Review outgoing GET requests to file hosting sites such as GitHub or pastebin, particularly when the request accesses a .php file.
