The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warned in a joint advisory about a threat actor deploying a botnet using the Androxgh0st malware. This malware is capable of harvesting cloud credentials such as those for AWS or Microsoft Azure and more, abusing the Simple Mail Transfer Protocol, and scanning for Amazon Simple Email Service parameters.
What is Androxgh0st malware?
The Androxgh0st malware was exposed in December 2022 by Lacework, a cloud security company. The malware is written in Python and is primarily used to steal Laravel.env files, which contain secrets such as credentials for high-profile applications. For example, organizations can integrate applications and platforms such as AWS, Microsoft Office 365, SendGrid or Twilio to the Laravel framework, and all application secrets are stored in the .env file.
The botnet searches for websites using the Laravel web application framework before determining whether the domain's root-level .env file is exposed and contains data to access additional services. The data in the .env file can be usernames, passwords, tokens, or other credentials.
Cybersecurity company Fortinet exposed telemetry on Androxgh0st, showing more than 40,000 devices infected by the botnet (Figure A).
Figure A
The FBI/CISA advisory states: “The Androxgh0st malware also supports numerous features capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs) and web shell implementation “.
How can Androxgh0st malware exploit old vulnerabilities?
Additionally, Androxgh0st can access the Laravel application key; If that key is exposed and accessible, attackers will attempt to use it to encrypt the PHP code that is passed to the website as a value for the XSRF-TOKEN variable. This is an attempt to exploit the CVE-2018-15133 vulnerability in some versions of the Laravel web application framework. A successful attempt allows the attacker to remotely upload files to the website. CISA added the CVE-2018-15133 Laravel Deserialization Untrusted Data Vulnerability to its Catalog of Known Exploited Vulnerabilities based on this evidence of active exploitation.
The threat actor deploying Androxgh0st has also been observed to exploit CVE-2017-9841, a vulnerability in PHP Testing Framework PHPUnit that allows an attacker to execute remote code on the website.
CVE-2021-41773 is also exploited by the threat actor. This vulnerability in the Apache HTTP server allows an attacker to execute remote code on the website.
What is known about the spam purpose of the Androxgh0st malware?
Lacework wrote in late 2022 that “over the past year, almost a third of key compromise incidents observed by Lacework are believed to have targeted spam or malicious email campaigns,” with most of the activity being generated by Androxgh0st .
The malware has multiple functions to enable SMTP abuse, including scanning Amazon Simple Email Service sending quotas, likely for future spam use.
How to protect yourself from this Androxgh0st malware threat
The joint advisory from CISA and the FBI recommends taking the following actions:
- Keep all operating systems, software and firmware up to date. In particular, Apache servers must be up to date. As you can read in this article, attackers can still activate an Apache web server vulnerability that was patched in 2021.
- Verify that the default setting for all URIs is to deny access unless there is a specific need for it to be accessible from the Internet.
- Ensure that Laravel applications are not configured to run in debug or test mode, as this could allow attackers to exploit weaknesses more easily.
- Remove all cloud credentials from the .env files and revoke them. As CISA and the FBI state, “all cloud providers have more secure ways of providing temporary, frequently rotated credentials to code running inside a web server without storing them in any files.”
- Review any platform or service that uses .env files for unauthorized access or use.
- Look for unknown or unrecognized PHP files, particularly in the root folder of the web server and in the /vendor/phpunit/phpunit/src/Util/PHP folder if the web server uses PHPUnit.
- Review outgoing GET requests to file hosting platforms (for example, GitHub and Pastebin), especially when the request accesses a .php file.
Additionally, it is recommended to search for newly created users for any of the affected services, because Androxgh0st has been observed creating new AWS instances used for additional scanning activities.
Security solutions should be implemented on all endpoints and servers in the organization to detect any suspicious activity. Where possible, your IT department should implement multi-factor authentication across all services to avoid being compromised by an attacker in possession of valid credentials.
Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.
