Androxgh0st Malware Botnet Targets Cloud Credentials

In a recent alert, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning regarding the emergence of a highly dangerous botnet orchestrated by malicious actors who are exploiting the Androxgh0st malware. This sophisticated malware has been specifically crafted to target cloud credentials, allowing the attackers to not only steal sensitive information but also unleash a series of devastating malicious payloads. 

FortiGuard Labs observed attempts by the AndroxGh0st malware on over 50,000+ Fortinet devices in one day at the start of the year.

Laravel Files Targeted That Store Credentials for Major Platforms such as AWS and O365

AndroxGh0st, a powerful Python malware, is actively employed in the field to specifically target Laravel .env files that store critical information like credentials for major platforms such as AWS, O365, SendGrid, and Twilio.

This sophisticated malware scans websites and servers for vulnerabilities related to remote code execution (RCE), including CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework). Its ability to exploit these weaknesses poses a significant threat to the security of cloud credentials and sensitive data.

Additionally, the attackers have been discovered to create fraudulent web pages on compromised websites, providing them with an unauthorized means to access databases containing extremely sensitive information and deploy further harmful tools that are essential to their malicious endeavors.

Furthermore, after successfully identifying and compromising AWS credentials on a vulnerable website, the malicious actors have also attempted to establish new user accounts and implement user policies.

The malicious actors behind Andoxgh0st even leverage stolen credentials to rapidly deploy new AWS instances, enabling them to scan for additional vulnerable targets throughout the vast expanse of the Internet.

How To Mitigate Against the Effects of Androxgh0st Malware

To mitigate the potential exploitation of common system and network discovery techniques and minimize the risk of compromise by malicious actors utilizing the Androxgh0st malware, the FBI and CISA advise network defenders to implement the following measures:

• Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
• Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
• Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them.
• On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
• Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
• Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.