Rewterz Threat Alert – Androxgh0st Malware Botnet Targets AWS and Microsoft for Credential Theft – Active IOCs

Severity

High

Analysis Summary

CISA and the FBI have published a joint advisory warning about the operators of Androxgh0st malware developing a botnet that focuses on stealing cloud credentials and using the stolen data to inject additional malicious payloads.

First seen in 2022, the botnet scans for websites and servers that use versions of the PHPUnit testing framework, Apache web server, and PHP web framework with remote code execution (RCE) vulnerabilities. The RCE security flaws that are targeted in these attacks include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel). The two agencies warned that Androxgh0st is a Python-scripted malware that is mainly used to target .env files containing sensitive information like credentials of widely used applications such as Amazon Web Services (AWS), Microsoft Office 365, Twilio, and SendGrid.

The malware supports various functions that are capable of exploiting the Simple Mail Transfer Protocol (SMTP), like scanning and abusing exposed credentials and APIs, and web shell deployment. The stolen credentials of SendGrid and Twilio can be used by attackers to carry out spam campaigns by posing as legitimate companies.

Threat actors have been discovered making fraudulent pages on compromised websites and putting a backdoor on them to access databases having sensitive information, later to be used for distributing other malicious tools that are important for their operations. Once the AWS credentials are successfully scanned and identified on a vulnerable website, they are compromised and the attackers try to create new users and user policies. Furthermore, the malware operators leverage the stolen credentials to start new AWS instances for scanning more vulnerable targets across the Internet.

The FBI asked organizations to provide information on Androxgh0st malware if they detect suspicious activity linked to this threat within their systems. CISA has also added the Laravel deserialization of untrusted data flaw (CVE-2018-15133) to its Known Exploited Vulnerabilities (KEV) catalog due to the evidence of its active exploitation. Meanwhile, the Apache HTTP Server path traversal (CVE-2021-41773) and PHPUnit command injection (CVE-2017-9841) vulnerabilities were added to the catalog in November 2021 and February 2022 respectively. The security agency also ordered federal agencies to patch their systems by 6^th February.

Impact

• Credential Theft
• Code Execution
• Identity Theft

Indicators of Compromise

MD5

• 1fb78440dc44b0900b27260a16d9771e
• 62a06bea8c6e276b5e532944cfc863e5

SHA-256

• 59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4
• 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066

SHA-1

• 452ec481734a78597b928e29c834d0e43fb2c7e2
• 09bd9b17a64b20ba66582dbc3ce08169697177a8

URL

• http://download.asyncfox.xyz/download/xmrig.x86_64

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Organizations must test their assets for the vulnerabilities mentioned above and apply the available security patches or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• The FBI and CISA also recommend the following mitigation measures to limit the impact of Androxgh0st malware attacks and reduce the risk of compromise:
• Keep all operating systems, software, and firmware up to date. Ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
• Ensure that the default configuration for all URIs is to deny all requests unless they need to be accessible.
• Verify that live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them.
• Review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
• Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
• Review outgoing GET requests via cURL command to file hosting sites such as GitHub, Pastebin, etc., particularly when the request accesses a .php file.