In a joint advisory issued by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), both agencies warned that threat actors using Androxgh0st malware are building a botnet focused on cloud credential theft and using the stolen information to deliver additional malicious payloads.
The advisory went on to state,
Androxgh0st malware has been observed establishing a botnet for victim identification and exploitation in target networks. According to open source reporting, Androxgh0st is a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs)], and web shell deployment.
Threat actors are specifically scanning for websites for the vulnerability CVE-2017-9841. If properly exploited, the vulnerability can be used to run hypertext preprocessor (PHP) code on fallible websites remotely via the compromised PHPUnit.
Websites using the PHPUnit module with internet-accessible folders are subject to malicious requests to the PHPUnit uniform resource identifier (URI). This PHP page runs PHP code submitted through a request by the threat actor, which allows the threat actors to execute code remotely.
Other vulnerabilities scanned by threat actors include CVE-2021-41773, an Apache HTTP Server vulnerability, and CVE-2018-15133, a Laravel PHP web framework.
Once compromised, threat actors deploy Androxgh0st to download malicious files to the system hosting the website. Threat actors can then further set up fake and illegitimate pages accessible via the compromised URI. These are then used to grant backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.
To best protect against Androxgh0st, the following mitigation strategies have been supplied by the FBI and CISA:
- Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
- Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
- Ensure that live Laravel applications are not in "debug" or testing mode. Remove all cloud credentials from .env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
- On a one-time basis for previously stored cloud credentials and on an ongoing basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
- Scan the server's file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
- Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, Pastebin, etc., particularly when the request accesses a .php file.
Androxgh0st the SMTP Cracker
As mentioned above, the malware seen in attacks targeting vulnerable PHP and Laravel is Androxgh0st, classified as an SMTP Cracker. It is called this as the malware actively scans for vulnerable .env files in Laravel applications. These files typically contain sensitive information like API keys used to securely log into services like Amazon's AWS or Microsoft's Azure cloud platforms.
If the malware successfully scans and finds vulnerable .env files, it parses the file's contents for AWS API keys. If unsuccessful, the malware can also attempt brute-force access to AWS resources. One of the reasons this style of attack can be so devastating is they are hard to detect, as there is often no one specific artifact that indicates a compromised key, except for threat intelligence.
However, threat intelligence is not always accurate or timely. Further, some security firms that rely on hash detection may find detection difficult as the malware's component parts are highly customizable, meaning that one variant can differ significantly from another. The question then remains, why? In most cases, SMTP crackers are used to mine cryptocurrencies or in spam campaigns.
Cryptocurrency is often mined by adding crypto-mining malware that uses CPU and GPU resources on the cloud server to mine. Meanwhile, if the victim's AWS profile is compromised, email servers can be set up, or they can simply use existing email servers to send spam emails. As these emails are coming from registered entities, they stand a better chance of getting through anti-spam software.
Security firm Lacework has attributed some Androxgh0st activity to the threat actor known as XCatze. The threat actor offers Androxgh0st as malware-as-a-service, effectively selling access to the malware to other threat actors willing to pay for the service.