Threat actors responsible for the multi-faceted Androxgh0st malware have built a botnet to expand their capabilities to identify and exploit vulnerable networks.
In a joint Jan. 16 advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI revealed new details about the malware which they said was gleaned from their involvement in multiple, ongoing investigations.
The Androxgh0st botnet was being used to scan for .env files that contain confidential information such as credentials for cloud solutions including Amazon Web Services (AWS), Microsoft Office 365, SendGrid and Twilio, they said.
The malware hunted for websites that use the Laravel web application framework. When it found them, the threat actors explored whether the targets’ domain root-level .env files were exposed and if they contained credentials for accessing additional services.
The threat actors exploited a vulnerability discovered in 2018, CVE-2018-15133, which can allow remote code execution on unpatched Laravel applications. On the same day the agencies published their advisory, CISA added the Laravel bug to its Known Exploited Vulnerabilities (KEV) Catalog.
“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” the agencies’ advisory said.
The gang were also observed exploiting two other vulnerabilities, a PHP arbitrary code execution flaw from 2017 (CVE-2017-9841), and an Apache HTTP Server path traversal attack vulnerability from 2021 (CVE-2021-41773). Both bugs were previously added to the KEV Catalog.
Roger Grimes, data-driven defense evangelist at KnowBe4, said the advisory raised concerns about the poor patching practices of many organizations.
“This particular attack is using unpatched vulnerabilities first announced (and patched) three to seven years ago. They are still unpatched and still being exploited,” he said.
“It goes to show that every software vulnerability has some non-minor percentage of people who will never apply the patch in a timely manner.”
The CEO of Conversant Group, John A. Smith, said AndroxGh0st’s focus on stealing cloud application credentials was a reminder that organizations could not assume the cloud was inherently safe.
“We also advise that an ounce of prevention is worth a pound of cure – because AndroxGh0st is exploiting exposed .env files and unpatched vulnerabilities, it is well-advised to always inspect and monitor cloud environments regularly for any exposures and have a very aggressive policy for out-of-band patching,” he said.
Grimes added that as more applications moved to the cloud, more malware was focusing on cloud-level risks.
“Years ago, most credential-stealing malware focused on passwords. Now, more and more credential-stealing malware focuses on multifactor authentication-protected logins, cloud logins, and cloud-tokens. The hackers and malware move where the technology moves.”
The Python-based AndroxGh0st malware was first detected by Lacework in 2022.
Last week SentinelOne researchers shared details of FBot, another Python-scripted hacking tool. While FBot targeted the same types of cloud applications as AndroxGh0st, it did not leverage AndroxGh0st’s code but shared similarities with the Legion cloud infostealer in functionality and design.