The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about the Androxgh0st malware botnet. They have been conducting investigations to understand the tactics used by the hackers behind this malware.
According to Lacework researchers, the Androxgh0st malware was first discovered in December 2022 and has been used to steal various credentials.
Data from Fortiguard Labs shows that the malware has already taken control of over 40,000 devices almost a year ago.
The Androxgh0st Malware
The Androxgh0st Credential stealing botnet malware is designed to scan websites and servers for vulnerabilities that can be exploited for remote code execution (RCE).
It targets the following vulnerabilities:
- CVE-2017-9841 (PHPUnit unit testing framework)
- CVE-2021-41773 (Apache HTTP Server)
- CVE-2018-15133 (Laravel PHP web framework)
“Androxgh0st is a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework),” CISA and FBI cautioned in their advisory.
“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.”
The threat actors behind the Androxgh0st botnet malware can utilize stolen Twilio and SendGrid credentials to carry out spam campaigns, posing as the compromised companies.
“Depending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials. The most commonly observed of these is to check the email sending limit for the account to assess if it can be leveraged for spamming,” according to Lacework.
In addition, the attackers have been found to create fraudulent pages on compromised websites, granting them unauthorized access to databases that store sensitive information. This access allows them to deploy additional malicious tools crucial for their operations.
Androxgh0st Malware Botnet Can Also Change User Policies and Setup New AWS Instances
Moreover, upon discovering and compromising vulnerable AWS credentials on a targeted website, they have attempted to create new users and user policies.
Additionally, the operators of the Androxgh0st malware leverage stolen credentials to set up new instances on AWS, enabling them to scan for more vulnerable targets across the internet.
The FBI and CISA recommend that network defenders implement the following mitigation measures to minimize the impact of Androxgh0st malware attacks and mitigate the risk of compromise:
- Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
- Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
- Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for accessibility.
- Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.
- Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them.
- On a one-time basis for previously stored cloud credentials, and on an ongoing basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
The FBI also asked for information on Androxgh0st malware from organizations that detect suspicious or criminal activity linked to this threat.
Based on evidence of active exploitation, CISA has recently included the CVE-2018-15133 vulnerability related to Laravel deserialization of untrusted data in its Known Exploited Vulnerabilities Catalog.
As a result, federal agencies have been directed by the U.S. cybersecurity agency to ensure the security of their systems against these attacks by February 6.
It is worth noting that the CVE-2021-41773 vulnerability associated with Apache HTTP Server path traversal and the CVE-2017-9841 vulnerability involving PHPUnit command injection were added to the catalog in November 2021 and February 2022, respectively.