CISA and FBI have jointly issued a warning about the threat posed by AndroxGh0st malware, emphasizing its use in establishing a botnet for “victim identification and exploitation within target networks.” Originating in a Lacework report from December 2022, AndroxGh0st, a Python-based malware, has spawned similar tools such as AlienFox, GreenBot (aka Maintance), Legion, and Predator.

This cloud attack tool is proficient at breaching servers with known security vulnerabilities to gain access to Laravel environment files. Subsequently, it pilfers credentials for high-profile applications like AWS, Microsoft Office 365, SendGrid, and Twilio. Notable vulnerabilities exploited by AndroxGh0st include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).

AndroxGh0st Malware Capabilities

Lacework highlights AndroxGh0st’s capabilities in enabling SMTP abuse through scanning, exploiting exposed credentials and APIs, and deploying web shells. Specifically for AWS, the malware not only scans and parses AWS keys but also possesses the capability to generate keys for brute-force attacks.

Compromised AWS credentials are utilized to create new users, user policies, and in some instances, set up new AWS instances for further malicious scanning activities. These functionalities make AndroxGh0st malware a formidable threat capable of downloading additional payloads and maintaining persistent access to compromised systems.

SentinelLabs’ Alex Delamotte notes the rarity of cloud-focused malware advisories and commends CISA for addressing this type of threat. This advisory follows SentinelOne’s revelation of a related but distinct tool called FBot, used by attackers to breach web servers, cloud services, CMS, and SaaS platforms.

Delamotte emphasizes the evolving cloud threat landscape, where tools like AlienFox and Legion integrate code from AndroxGh0st and FBot into a holistic ecosystem. As cloud services continue to be monetized, tailored tools are expected to emerge for specific services, similar to those targeting mail services for spamming attacks.

Final Words

In conclusion, the joint advisory from CISA and FBI underscores the escalating danger posed by AndroxGh0st malware and its derivatives. Due to their emphasis on taking advantage of known vulnerabilities, these attacks necessitate proactive cybersecurity measures and increased awareness, especially in cloud environments. As the landscape continues to evolve, collaboration and awareness remain crucial in mitigating the risks posed by these sophisticated cloud-based attacks.

The sources for this article include a story from TheHackerNews.

The post CISA and FBI Warn of AndroxGh0st Malware Threat appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/cisa-and-fbi-warn-of-androxgh0st-malware-threat/