The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn that threat actors deploy AndroxGh0st The malware is creating a botnet for “victim identification and exploitation within the target network.”
AndroxGh0st is a Python-based malware first recorded by Lacework in December 2022. The malware inspired several similar tools such as AlienFox, GreenBot (aka Mainance), Legion, and Predator.
This cloud-based attack tool can penetrate servers vulnerable to known security vulnerabilities to access Laravel environment files and steal credentials for well-known applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio.
Some notable flaws exploited by attackers include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).
“AndroxGh0st has multiple capabilities that enable SMTP abuse, including scanning, exploiting exposed credentials and APIs, and even deploying a web shell,” Lacework said. “Specifically for AWS, the malware scans and parses AWS keys, but also Able to generate keys for brute force attacks.”
These capabilities make AndroxGh0st a potential threat that can be used to download additional payloads and retain persistent access to infected systems.
Less than a week ago, SentinelOne revealed a related but unique tool called FBot that attackers are using to compromise web servers, cloud services, content management systems (CMS), and SaaS platforms.
NETSCOUT also issued an alert, stating that botnet scanning activity has increased significantly since mid-November 2023, peaking at nearly 1.3 million unique devices on January 5, 2024. Most of the source IP addresses are related to the United States, China, Vietnam, Taiwan, and Russia.
“Analysis of the activity found an increase in the use of cheap or free cloud and hosted servers used by attackers to create botnet launch pads,” the company said. “These servers are offered through trials, free accounts, or low-cost accounts that provide anonymity and minimal maintenance overhead.”
