CISA and the FBI warned today that threat actors using Androxgh0st malware are building a botnet focused on cloud credential theft and using the stolen information to deliver additional malicious payloads.
First spotted by Lacework Labs in 2022, the botnet scans for websites and servers using versions of the PHPUnit unit testing framework, PHP web framework, and Apache web server with remote code execution (RCE) vulnerabilities.
RCE flaws targeted in these attacks include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel).
“Androxgh0st is a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework),” the two agencies cautioned.
“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.”
Stolen Twilio and SendGrid credentials can be used by the threat actors to conduct spam campaigns impersonating the breached companies.
“Depending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials. The most commonly observed of these is to check the email sending limit for the account to assess if it can be leveraged for spamming,” according to Lacework.
The attackers have been observed creating fake pages on compromised websites, providing them with a backdoor to access databases containing sensitive information and to deploy more malicious tools vital for their operations.
Upon successfully identifying and compromising AWS credentials on a vulnerable website, they’ve also tried creating new users and user policies.
Furthermore, Andoxgh0st operators use stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet.
FBI and CISA advise network defenders to implement the following mitigation measures to limit the impact of Androxgh0st malware attacks and reduce the risk of compromise:
- Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
- Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
- Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them.
- On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
- Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
- Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.
The FBI also asked for information on Androxgh0st malware from organizations that detect suspicious or criminal activity linked to this threat.
CISA added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog today based on this evidence of active exploitation.
The U.S. cybersecurity agency also ordered federal agencies to secure their systems against these attacks by February 6.
The CVE-2021-41773 Apache HTTP Server path traversal and CVE-2017-9841 PHPUnit command injection vulnerabilities have been added to the catalog in November 2021 and February 2022, respectively.