AndroxGh0st Botnet

CISA and the FBI have jointly issued a warning regarding the activities of threat actors utilizing the Androxgh0st malware, who are actively constructing a botnet with a specific focus on the theft of cloud credentials. These malevolent actors leverage the collected information to deploy additional harmful payloads. Initially detected by cybersecurity researchers in 2022, this botnet had already gained control over more than 40,000 devices at that time.

The modus operandi of this botnet involves scanning for vulnerabilities in websites and servers susceptible to remote code execution (RCE). Notably, the threat actors target specific vulnerabilities, namely CVE-2017-9841 (associated with the PHPUnit unit testing framework), CVE-2021-41773 (linked to the Apache HTTP Server), and CVE-2018-15133 (related to the Laravel PHP web framework). By exploiting these vulnerabilities, the Androxgh0st malware facilitates unauthorized access and enables the theft of cloud credentials, posing a significant cybersecurity risk.

The AndroxGh0st Malware Targets Sensitive Data on Breached Devices

Androxgh0st, a Python-scripted malware, is primarily designed to target .env files that store confidential information, including credentials for high-profile applications like the Amazon Web Services (AWS), Microsoft Office 365, SendGrid and Twilio within the Laravel Web application framework.

This malware boasts various functionalities, enabling the abuse of the Simple Mail Transfer Protocol (SMTP). It can scan and exploit exposed credentials and application programming interfaces (APIs), as well as deploy Web shells. The compromise of Twilio and SendGrid credentials allows threat actors to orchestrate spam campaigns, impersonating the breached companies.

Depending on its application, AndroxGh0st exhibits two primary functions against acquired credentials. The more frequently observed one involves checking the email sending limit of the compromised account to determine its suitability for spamming purposes.

The attackers also have demonstrated the creation of fake pages on compromised websites, establishing a backdoor for accessing databases containing sensitive information. This access is utilized to deploy additional threatening tools crucial for their operations. In instances where AWS credentials are successfully identified and compromised on vulnerable websites, the attackers have attempted to create new users and user policies.

Moreover, Andoxgh0st operators leverage stolen credentials to initiate new AWS instances, allowing them to scan for additional vulnerable targets across the Internet as part of their ongoing operations.

How to Prevent the Potential Andoxgh0st Malware Attacks?

To mitigate the impact of Androxgh0st malware attacks and minimize the risk of compromise, network defenders are advised to implement the following measures:

• Keep Systems Updated: Ensure that all operating systems, software, and firmware are regularly updated. Specifically, verify that Apache servers are not running versions 2.4.49 or 2.4.50.
•  URI Configuration: Confirm that the default configuration for all Uniform Resource Identifiers (URIs) is set to deny all requests unless there is a specific and justified need for accessibility.
•  Laravel Application Settings: Ensure that any live Laravel applications are not in 'debug' or testing mode. Remove cloud credentials from .env files and revoke them. Perform a one-time review of previously stored cloud credentials and conduct ongoing reviews for other credential types that cannot be removed.
•  File System Scans: Scan the server's file system for unrecognized PHP files, with particular attention to the root directory and the /vendor/phpunit/phpunit/src/Util/PHP folder.
•  Outgoing GET Requests: Review outgoing GET requests, especially those using cURL commands, to file-hosting sites like GitHub or Pastebin. Pay special attention when the request accesses a .php file.

CISA has updated its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. The CVE-2018-15133 Laravel deserialization of untrusted data vulnerability was added, while the CVE-2021-41773 Apache HTTP Server path traversal and the CVE-2017-9841 PHPUnit command injection vulnerabilities were included in November 2021 and February 2022, respectively. These additions aim to enhance awareness and prompt proactive measures against known vulnerabilities associated with Androxgh0st.