The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued warnings about the proliferation of the AndroxGh0st malware. This Python-based malware is a key tool in the creation of a botnet aimed at identifying and exploiting victims within target networks.
Origins and Evolution of AndroxGh0st
First documented in December 2022 by Lacework, AndroxGh0st has since inspired the creation of several similar tools, such as AlienFox, GreenBot (also known as Maintance), Legion, and Predator.
The cloud attack tool, renowned for its capabilities, specializes in infiltrating servers that are vulnerable to known security flaws. This allows it to access Laravel environment files and exfiltrate credentials for major applications like Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio.
Exploited Vulnerabilities
The malware has been weaponizing notable flaws, including CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework). These vulnerabilities provide gateways for attackers to gain access and control over vital resources and data.
The Versatility and Danger of AndroxGh0st
Lacework’s analysis reveals that AndroxGh0st possesses multiple features for SMTP abuse, which include scanning, exploitation of exposed credentials and APIs, and even the deployment of web shells.
For AWS, specifically, the malware is not only capable of scanning for and parsing AWS keys but also possesses the ability to generate keys for brute-force attacks. The stolen AWS credentials are then used to create new users and policies, and in some cases, to set up new AWS instances for further malicious activities.
Persistent Threat and Cloud Malware Advancements
The multifaceted nature of AndroxGh0st makes it a formidable threat capable of downloading additional payloads and maintaining persistent access to compromised systems. Alex Delamotte, a senior threat researcher at SentinelLabs, emphasizes the significance of CISA’s advisory against this type of cloud-focused malware, noting their uncommon nature and the persistent nuisance caused by AndroxGh0st, as observed in honeypot network connections.
The Broader Context: FBot and Botnet Scanning Spike
This advisory comes on the heels of a revelation by SentinelOne about a related but distinct tool named FBot, used by attackers to infiltrate web servers, cloud services, content management systems (CMS), and SaaS platforms. Delamotte remarks on the evolving cloud threat landscape, highlighting how tools like AlienFox and Legion are integrating code from other tools like AndroxGh0st and FBot into a comprehensive ecosystem. This trend is expected to continue as actors find novel ways to monetize cloud services, leading to the emergence of tailored tools for specific services, especially in the realm of exploiting mail services for spam attacks.
The Surge in Botnet Activities
An alert from NETSCOUT has pointed out a significant increase in botnet scanning activity since mid-November 2023, reaching a peak of nearly 1.3 million distinct devices by January 5, 2024.
The majority of these source IP addresses are traced back to the U.S., China, Vietnam, Taiwan, and Russia. This analysis has unveiled a trend in the use of cheap or free cloud and hosting servers by attackers to establish botnet launch pads. These servers, often acquired through trials, free accounts, or low-cost accounts, offer anonymity and minimal overhead, facilitating their malicious use.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
