Cybersecurity researchers reveal a new method called AndroxGh0st Used to target Laravel applications and steal sensitive data.
Kashinath T Pattan, a researcher at Juniper Threat Lab, said: “It works by scanning .env files and extracting important information from them, thereby displaying login details related to AWS and Twilio.”
“Classified as an SMTP cracker, it uses various tactics to exploit SMTP, such as credential exploitation, web shell deployment, and vulnerability scanning.”
AndroxGh0st has been detected in the wild since at least 2022, and is used by threat actors to access Laravel environment files and steal credentials for various cloud-based applications such as Amazon Web Services (AWS), SendGrid, and Twilio .
Known attack chains involving Python malware exploit known security vulnerabilities in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access as well as privilege escalation and persistence.
In early January this year, U.S. cybersecurity and intelligence agencies warned attackers to deploy the AndroxGh0st malware to create botnets to “identify and exploit victims within target networks.”
“Androxgh0st first gained entry via a vulnerability in Apache, identified as CVE-2021-41773, allowing it to access vulnerable systems,” Pattan explained.
“It then exploited other vulnerabilities, specifically CVE-2017-9841 and CVE-2018-15133, to execute code and establish persistent control, essentially taking over the target system.”
Androxgh0st is designed to steal sensitive data from a variety of sources, including .env files, repositories, and cloud credentials. This allows threat actors to deliver additional payloads to infected systems.
Juniper Threat Labs said it has observed an increase in activity related to exploiting CVE-2017-9841, so users must quickly update their instances to the latest version.
It added that most attack attempts against its honeypot infrastructure came from the United States, United Kingdom, China, Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia and India.
This development comes as the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable WebLogic servers located in South Korea are being targeted by attackers and used as download servers to distribute a cryptocurrency mining tool called z0Miner. Miners and other tools such as Fast Reverse Proxy (FRP).
It also discovered a malicious campaign that infiltrated AWS instances, created more than 6,000 EC2 instances in minutes, and deployed binaries related to a decentralized content delivery network (CDN) called Meson Network file.
The Singapore-based company aims to create “the world’s largest bandwidth marketplace” by allowing users to exchange idle bandwidth and storage resources with Meson for tokens (i.e. rewards).
“This means miners will receive Meson tokens as a reward for providing servers to the Meson Network platform, and the reward will be calculated based on the amount of bandwidth and storage brought to the network,” Sysdig said in a technical report released this month.
“It’s not all about mining cryptocurrency anymore. Services like the Meson network want to utilize hard drive space and network bandwidth instead of CPU. While Meson may be a legitimate service, this shows that attackers are always on the lookout for New ways to make cryptocurrency.” Money. “
As cloud environments become increasingly lucrative targets for threat actors, it is critical to keep software up to date and monitor for suspicious activity.
Threat intelligence company Permiso has also released a tool called CloudGrappler, which is built on cloudgrep and can scan AWS and Azure to flag malicious events related to well-known threat actors.
