The bad actors behind the Androxgh0st malware are building a botnet they can use to identify victims and exploit vulnerable networks to steal confidential information from such high-profile cloud applications as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio, according to two government agencies.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued a warning this week about the botnet threat from Androxgh0st, which searches for .env files containing the confidential information.

The malware, first detected by Lacework researchers in 2022, “also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs) and web shell deployment,” FBI and CISA wrote.

They added that by reviewing various ongoing investigations and third-party reporting, they were able to determine the indications of compromise (IOCs) and techniques, tactics, and procedures (TTPs) associated with the Python-based malware and clued the agencies into how Androxgh0st is establishing a botnet to further identify and compromise vulnerable networks.

“Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning and searching for websites with specific vulnerabilities,” the agencies wrote. ‘In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit.”

PHPUnit is a testing framework for the PHP programming language. Androxgh0st tends to target .env files in Laravel applications. Laravel is an open-source PHP framework whose .env files contain the sensitive configuration data, including credentials and tokens, according to Callie Guenther, senior manager of cyberthreat research at Critical Start.

The malware also is known to exploit other vulnerabilities, including CVE-2018-15133 in Laravel applications and CVE-2021-41773 in Apache HTTP Server versions.

Also this week, CISA added the Laravel application flaw to its list of known exploited vulnerabilities.

Clouds and Cyberthreats

John Smith, CEO at the IT services and consulting firm Conversant Group, said AndroxGh0st is further proof of the cyberthreats facing cloud environments and the importance of understanding that the cloud is not inherently safe.

Smith called the malware “an SMTP cracker used for cryptojacking, spamming, or malicious email campaigns. It primarily targets cloud environments (such as AWS), looking for exposed .env files to extract keys.”

In addition, though it’s rare, the malware also can “generate keys for brute force attacks. It exploits unpatched vulnerabilities in web applications to move laterally and maintain persistence by creating accounts and elevating permissions,” he said.

AndroxGh0st Emerges

In late 2022, Lacework researchers wrote that during that year, almost a third of compromised key incidents they saw were for spamming or malicious email campaigns, adding that “the majority of this activity has been linked to the same python malware dubbed AndroxGh0st.”

In its most recent look at AndroxGh0st, Fortinet’s FortiGuard Labs group found that this week there are more than 40,000 hosts compromised by the malware, a drop down from a high of about 50,000 in the first week of the year.

“Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework,” the FBI and CISA wrote. “After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level .env file is exposed and contains credentials for accessing additional services.”

If the .env file is exposed, the bad actors will try to access the data. Hackers running Androxgh0st also scan vulnerable web servers that run some versions of Apache HTTP Server to wrest confidential information and establish persistence.

“If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations,” the agencies wrote. “For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies.”

In addition, the bad actors also have been see creating new AWS instances to run additional scanning activities, they wrote.