Advisory ID: NCC-CSIRT-220124-001
Summary: Warnings have been issued by U.S. federal agencies, such as the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), regarding the emergence of a significant botnet setup by threat actors utilizing the Androxgh0st malware. This botnet is employed to distribute malicious payloads after the compromise of cloud credentials. Observations indicate that threat actors utilizing the botnet systematically verify accounts for email limitations, facilitating their spamming activities. Additionally, these malicious actors have been detected creating deceptive pages on compromised websites, establishing a covert entry point to databases containing sensitive data. This access allows them to deploy additional malicious tools crucial to their operations.
Threat Type(s): Malware, Botnet, Vulnerability, and Spam
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Amazon Web Services (AWS), Twilio, Microsoft Office 365, Microsoft Azure, and SendGrid
Platform(s): Cloud Platform
Version(s): All Versions
Description: The Androxgh0st malware is a script developed in Python programming language, primarily designed to target ‘.env’ files containing sensitive information related to prominent cloud applications, such as Amazon Web Services [AWS], Microsoft Office 365, Microsoft Azure, SendGrid, and Twilio, commonly associated with the Laravel web application framework. This malware utilizes the Simple Mail Transfer Protocol (SMTP) for deploying web shells (A web shell is a malicious program that is used to access a web server remotely during cyberattacks) and takes advantage of leaked credentials. It systematically scans servers and websites for specific vulnerabilities associated with remote code execution, including those in the Apache HTTP Server, PHPUnit testing framework, and Laravel PHP web framework. Once it successfully identifies and compromises cloud credentials on a vulnerable website, there have been instances of attempts to create new users and user policies.
Consequences:
- Androxgh0st malware is capable of scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment.
- Stolen Twilio and SendGrid credentials can be used by the threat actors to conduct spam campaigns impersonating the breached companies.
- Andoxgh0st operators use stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet.
Solution: Organizations' network defenders should implement the following mitigation measures:
- Keep all operating systems, software, and firmware updated. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
- Verify that the default configuration for all URIs is set to deny all requests unless there is a specific need for accessibility.
- Ensure that any active Laravel applications are not in "debug" or testing mode. Remove all cloud credentials from .env files and promptly revoke them.
- Conduct a one-time review for previously stored cloud credentials and perform ongoing assessments for other credential types that cannot be removed. Check platforms or services listed in the .env file for any signs of unauthorized access or use.
- Scan the server's file system for any unfamiliar PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
- Monitor outgoing GET requests (via cURL command) to file hosting sites such as GitHub or Pastebin, especially when the request involves accessing a ‘.php’ file.
References:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
https://www.bleepingcomputer.com/news/security/fbi-androxgh0st-malware-botnet-steals-aws-microsoft-credentials/
https://www.spiceworks.com/it-security/security-general/news/federal-agencies-warning-androxgh0st-malware-botnet/
https://www.techrepublic.com/article/androxgh0st-malware-botnet/