CISA and the FBI have issued a warning regarding the deployment of the AndroxGh0st malware by threat actors, who are building a botnet for the purpose of identifying and exploiting victims within target networks.
Initially observed by Lacework in December 2022, AndroxGh0st, a Python-based malware, has spawned similar tools such as AlienFox, GreenBot (also known as Maintance), Legion, and Predator.
This cloud attack tool can breach servers with known vulnerabilities to access Laravel environment files and pilfer credentials from prominent applications like AWS, Microsoft Office 365, SendGrid, and Twilio.
Among the vulnerabilities exploited are CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).
Lacework highlighted AndroxGh0st’s capabilities in SMTP abuse, including scanning, exploiting exposed credentials and APIs, and deploying web shells. Specifically for AWS, the malware scans and parses AWS keys, and can even generate keys for brute-force attacks.
Compromised AWS credentials are utilized to create new users, user policies, and, in some cases, set up new AWS instances for further malicious scanning activities.
These functionalities render AndroxGh0st a formidable threat capable of downloading additional payloads and maintaining persistent access to compromised systems.
Alex Delamotte, a senior threat researcher at SentinelLabs, noted the prevalence of AndroxGh0st-related user-agent strings in network connections scanning honeypots. Delamotte praised CISA’s issuance of an advisory against such threats, highlighting the rarity of cloud-focused malware advisories.
This advisory coincides with the recent revelation by SentinelOne regarding a distinct tool named FBot, employed by attackers to breach web servers, cloud services, content management systems, and SaaS platforms.
Delamotte emphasized the trend of the cloud threat landscape borrowing code from various tools, integrating them into a comprehensive ecosystem, exemplified by AlienFox and Legion leveraging AndroxGh0st and FBot, respectively.
The alert follows NETSCOUT’s report of a significant surge in botnet scanning activity since mid-November 2023, peaking at nearly 1.3 million distinct devices on January 5, 2024. The majority of source IP addresses are traced back to the U.S., China, Vietnam, Taiwan, and Russia.
NETSCOUT’s analysis revealed a rise in the use of inexpensive or free cloud and hosting servers by attackers to establish botnet launch pads, leveraging trials, free accounts, or low-cost accounts to maintain anonymity and minimize overhead.