The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint warning about the Androxgh0st malware botnet, which is actively engaged in cloud credential theft. Threat actors leveraging this malware are not only pilfering credentials for cloud services like Amazon Web Services (AWS) and Microsoft Office 365 but are also utilizing the stolen information to deliver additional malicious payloads.
Initially detected in 2022, the Androxgh0st botnet had already gained control over more than 40,000 devices almost a year ago. The malware is designed to exploit remote code execution (RCE) vulnerabilities, specifically targeting CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).
Androxgh0st, a Python-scripted malware, is primarily focused on targeting .env files that may contain sensitive information such as credentials for high-profile applications like AWS, Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework. It also supports various functions related to abusing the Simple Mail Transfer Protocol (SMTP), including scanning and exploiting exposed credentials and APIs, as well as deploying web shells.
Stolen Twilio and SendGrid credentials are particularly concerning, as threat actors can utilize them to conduct spam campaigns while impersonating the breached companies. Androxgh0st can assess the email sending limits for compromised accounts to determine if they can be exploited for spamming purposes.
The attackers have been observed taking additional steps, such as creating fake pages on compromised websites, providing a backdoor for accessing databases with sensitive information, and deploying more malicious tools as needed. Once AWS credentials are successfully identified and compromised, the operators attempt to create new users and user policies. Additionally, they use stolen credentials to spin up new AWS instances for scanning vulnerable targets across the internet.
The FBI has called for information on Androxgh0st malware from organizations that detect suspicious or criminal activity related to this threat. CISA has also updated its Known Exploited Vulnerabilities Catalog, adding the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability based on evidence of active exploitation. Federal agencies have been instructed to secure their systems against these attacks by February 6, emphasizing the critical nature of the situation. The vulnerabilities CVE-2021-41773 and CVE-2017-9841 were previously added to the catalog in November 2021 and February 2022, respectively.
Defending against the Androxgh0st malware necessitates proactive measures. Regularly patch and update systems to address vulnerabilities and conduct thorough security assessments. Enforce strong authentication mechanisms, such as multi-factor authentication, for cloud services. Additionally, organizations should enhance monitoring and detection capabilities to swiftly identify unauthorized access or unusual activities, enabling a rapid response to mitigate potential damage.