AndroxGh0st targets Laravel applications, scanning and extracting login credentials for AWS and Twilio from .env files.
AndroxGh0st, previously identified as an SMTP cracker, utilizes multiple strategies including credential exploitation, web shell deployment, and vulnerability scanning. However, its primary objective is to compromise hosts and extract critical data from Laravel applications, showcasing adaptive capabilities.
Androxgh0st Exploits SMTP
According to Juniper’s reports, the malware boasts menu options that showcase its full range of functionalities and features.
These options include “awslimitcheck,” “sendgridcheck,” “twilio_sender,” “exploit,” and many others, each with distinct usages and capabilities.
The “awslimitcheck” option is utilized to verify AWS account limits and gather information on email-sending quotas.
Similarly, the “sendgridcheck” option is tailored to inspect and report crucial details regarding a SendGrid API key, including total email credits, used credits, and the ‘Mail from’ address linked with the SendGrid account.
The “Twilio_sender” function facilitates sending SMS messages through the Twilio API, as well as verifying the Twilio account status and balance, and conducting a test SMS to a predefined number.
Meanwhile, the “exploit” function targets the PHP unit testing framework, enabling the execution of arbitrary PHP code by sending a crafted POST request to a specific URI.
Furthermore, the malware exploits three critical vulnerabilities found in Laravel web applications, identified by the CVEs CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773.
The attack chain begins by gaining access to the vulnerable system through CVE-2021-41773, which exploits a weakness in Apache.
Subsequently, the malware leverages CVE-2017-9841 and CVE-2018-15133 to execute code and establish persistent control over the targeted system.
While AndroxGh0st offers diverse functions for various purposes, executing these actions on targeted systems poses several challenges for threat actors.
The awslimitcheck function demands valid AWS credentials, the Boto3 library, and proper AWS SES (Simple Email Service) configuration.
For the sendgridcheck function, a valid SendGrid API key with necessary permissions is essential to retrieve required information.
The twilio_sender option necessitates a valid Twilio account, Auth token, and Twilio phone number with sufficient balance for data extraction and SMS sending.
Lastly, the exploit option relies on the presence of the PHPUnit vulnerability in the target system for successful exploitation.
Furthermore, the threat actor needs knowledge of the vulnerable URI and must craft a payload to bypass any existing security measures.
Additionally, validating successful exploitation requires access to server logs and other monitoring mechanisms.
Should the malware successfully exploit CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773, the potential consequences include data breaches and network disruptions.
Indicators Of Compromise
File Samples
- f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 – AndroxGhost python sample
- 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a – AndroxGhost python sample
Linux Miners
- 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066 – Linux Miner dropped
- 6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc – Linux Miner dropped
- bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7 – Linux miner dropped
PHP Webshell
- ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72 – PHP Webshell
- 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef – PHP Webshell
TOP IP – Attack Originated From
- 103.121.39[.]54
- 185.16.39[.]37
- 155.138.245[.]246
- 149.50.102[.]48
- 45.143.200[.]14
- 45.135.232[.]19
- 45.129.14[.]224
- 91.92.245[.]67
- 64.225.6[.]114
- 122.189.200[.]188
- 66.135.11[.]147
- 155.248.212[.]175
- 118.31.17[.]168
- 45.135.232[.]28
- 77.90.185[.]106
- 194.26.135[.]68
- 218.107.208[.]71
- 172.98.33[.]153
- 5.255.115[.]40
- 45.134.26[.]85
- 180.101.88[.]225
- 180.101.88[.]237
- 80.66.76[.]80
- 83.97.73[.]76
- 91.240.118[.]221
- 91.240.118[.]228
- 109.123.229[.]56
- 213.109.202[.]210
- 213.109.202[.]145
- 180.101.88[.]230
- 180.101.88[.]220
- 103.96.40[.]38
- 128.199.237[.]61
- 173.199.117[.]55
- 62.20441[.]80
- 77.83.36[.]40
- 103.255.191[.]43
- 213.109[.]202.167
- 141[.]98.11.107
- 162.0[.]234.118
- 91.240.118[.]224
- 185.248[.]2476
- 185.161.248[.]148
- 38.175.192[.]78
- 176.113.115[.]220
- 77.90.185[.]102
- 80.66.66[.]225
- 200.54.189[.]98
- 185.234.216[.]125
- 176.113.115[.]184
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment