Hackers behind the Androxgh0st malware are creating a powerful botnet, US cybersecurity agencies warned on Tuesday.
On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint opinion on the malware, saying several ongoing investigations have allowed them to evaluate the tactics used by the bad actors deploying it.
The malware dates back to December 2022, when researchers at Lacework reported seeing it used in campaigns to steal a wide variety of credentials.
The agencies said they observed the Androxgh0st malware establishing a botnet “for the identification and exploitation of victims in target networks.” The botnet looks for .env files, which are commonly sought by bad actors because they store credentials and tokens.
The credentials come from “high-level applications,” such as Amazon Web Services, Microsoft Office 365, SendGrid and Twilio, the agencies said.
“The Androxgh0st malware also supports many functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as parsing and exploiting exposed credentials and application programming interfaces (APIs). ), as well as web shell deployment,” they said.
The malware is used as part of an effort to scan and find websites with specific vulnerabilities. The hackers behind the campaign “likely use Androxgh0st to upload malicious files to the system hosting the website,” the agencies said.
The malware also searches websites using the Laravel framework, a tool used for developing web applications. Once the botnet finds websites using Laravel, the hackers attempt to determine whether certain files are exposed and contain identifying information.
The advisory states that Laravel is affected by CVE-2018-15133, a vulnerability used by the botnet to access usernames, passwords and other credentials for services such as email (via SMTP) and AWS accounts. SMTP is used by mail servers to send, receive and relay outgoing emails between senders and recipients.
LPCC added the vulnerability in its catalog of exploited vulnerabilities known on Tuesday. Federal civilian agencies have until February 6 to correct it.
“If malicious actors obtain credentials for services using the above methods, they may use those credentials to access sensitive data or use those services to conduct additional malicious operations,” they said. the agencies.
“For example, when malicious actors manage to identify and compromise the AWS credentials of a vulnerable website, they have been observed attempting to create new users and usage policies. Additionally, Andoxgh0st actors have been observed creating new AWS instances to be used to conduct additional analytics activities.
Cybersecurity expert John Smith said AndroxGh0st is another example of the growing threats to cloud infrastructure.
The malware is used for cryptojacking, spamming or malicious email campaigns and exploits unpatched vulnerabilities in web applications to move laterally and maintain persistence by creating accounts and escalating permissions.
Smith noted that because AndroxGh0st exploits exposed .env files and unpatched vulnerabilities, users are advised to regularly inspect and monitor cloud environments for exposure and have a very aggressive policy in out-of-band patching.
“We also believe that prevention is better than cure,” he said. “The cloud is certainly not ‘set it and forget it’; it must be secured and resecured like any other part of the warranty area.
Several other experts have called AndroxGh0st “noisy” because of the trail of evidence it leaves behind and because it seeks out easily compromised systems.
Ken Dunham of Qualys noted that Fortinet reports approximately 40,000 hosts compromised as part of the botnet. Dunham added that the botnet “is growing as it attacks targets around the world that are misconfigured and vulnerable to attack.”
Future saved
Intelligence cloud.
No previous articles
No new articles
