AndroxGh0st Malware Targets Laravel Applications to Extract Cloud Credentials

Malware Attack

AndroxGh0st, identified as an SMTP cracker, is adept at extracting crucial information from .env files, exposing login credentials associated with services like AWS and Twilio, according to Juniper Threat Labs researcher Kashinath T Pattan.

The Python-based malware has been active in the wild since at least 2022, with threat actors exploiting it to compromise Laravel environment files and steal credentials for cloud-based platforms including Amazon Web Services (AWS), SendGrid, and Twilio.

The attack vectors involving AndroxGh0st often exploit known vulnerabilities in Apache HTTP Server, Laravel Framework, and PHPUnit for initial access, privilege escalation, and maintaining persistence.

Recent warnings from U.S. cybersecurity agencies highlight the deployment of AndroxGh0st by attackers to create botnets for identifying and exploiting vulnerabilities in target networks.

The malware typically exploits security weaknesses such as CVE-2021-41773 in Apache to gain entry, followed by leveraging CVE-2017-9841 and CVE-2018-15133 to execute code and establish persistent control over compromised systems.

AndroxGh0st's primary objective is to exfiltrate sensitive data from various sources, including .env files, databases, and cloud credentials, allowing threat actors to deploy additional payloads.

An increase in exploit attempts targeting CVE-2017-9841 underscores the importance of promptly updating instances to the latest versions.

Meanwhile, AhnLab Security Intelligence Center (ASEC) reveals ongoing attacks targeting vulnerable WebLogic servers in South Korea, repurposing them as download servers to distribute cryptocurrency miners and tools like fast reverse proxies (FRP).

Additionally, a malicious campaign infiltrating AWS instances to spawn thousands of EC2 instances and deploy binaries associated with a decentralized content delivery network (CDN) named Meson Network has been uncovered.

As cloud environments emerge as lucrative targets, maintaining software updates and vigilant monitoring for suspicious activity become imperative. Threat intelligence provider Permiso introduces CloudGrappler, a tool designed to scan AWS and Azure environments for malicious events associated with known threat actors.