Cyber security researchers have shed light on a tool called AndroxGh0st it is used to target Laravel applications and steal sensitive data.
“It works by scanning and extracting important information from .env files, revealing login details linked to AWS and Twilio,” said Kashinath T Pattan, researcher at Juniper Threat Labs.
“Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell implementation, and vulnerability scanning.”
AndroxGh0st has been detected in circulation since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications such as Amazon Web Services (AWS), SendGrid, and Twilio.
Attack chains involving Python malware are known to exploit known security flaws in the Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence.
In early January, US cybersecurity and intelligence agencies warned of attackers distributing the AndroxGh0st malware to create a botnet for “identifying and exploiting victims in targeted networks.”
“Androxgh0st first gains access through a weakness in Apache, identified as CVE-2021-41773, which allows it to access vulnerable systems,” Pattan explained.
“It then exploits additional vulnerabilities, specifically CVE-2017-9841 and CVE-2018-15133, to execute code and establish persistent control, essentially taking control of the targeted systems.”
Androxgh0st is designed to extract sensitive data from various sources, including .env files, databases, and cloud credentials. This allows threat actors to deliver additional payloads to compromised systems.
Juniper Threat Labs said it has observed an increase in activity related to the exploitation of CVE-2017-9841, making it essential that users move quickly to update their instances to the latest version.
Most of the attempted attacks against its honeypot infrastructure came from the United States, the United Kingdom, China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia and India, it added.
The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable WebLogic servers located in South Korea were targeted by adversaries and used them as download servers to deploy a cryptocurrency miner called z0Miner and others tools like fast reverse proxy (FRP).
It also follows the discovery of a malicious campaign that infiltrated AWS instances to create over 6,000 EC2 instances in minutes and deploy a binary associated with a decentralized content delivery network (CDN) known as the Meson Network.
The Singapore-based company, which aims to create the “world’s largest bandwidth marketplace,” works by allowing users to trade idle bandwidth and storage resources with Meson in exchange for tokens (i.e. rewards) .
“This means that miners will receive Meson tokens as a reward for providing servers to the Meson Network platform, and the reward will be calculated based on the amount of bandwidth and storage they inject into the network,” Sysdig said in a published technical report this month.
“It’s no longer just about mining cryptocurrencies. Services like the Meson network want to leverage hard drive space and network bandwidth rather than CPU. While Meson may be a legitimate service, this shows that attackers are always on the lookout of new ways to make money.”
As cloud environments increasingly become a lucrative target for threat actors, it’s critical to keep your software updated and monitor for suspicious activity.
Threat intelligence firm Permiso has also released a tool called CloudGappler, which builds on the foundations of cloudgrep and scans AWS and Azure to report malicious events related to known threat actors.