Androxgh0st Botnet Malware Steals AWS, Microsoft Credentials

/in


Threat actors use botnet malware to gain access to the network of compromised systems that enable them to perform several types of illicit activities.

They get attracted to botnet malware due to its distributed and anonymous infrastructure, which makes it stealthy and sophisticated.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently discovered that hackers are actively deploying Androxgh0st botnet malware that steals AWS and Microsoft credentials.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Androxgh0st Botnet Malware

Androxgh0st malware builds a botnet to find and exploit victims in target networks. It’s a Python-scripted threat targeting .env files with sensitive data, like credentials for AWS, Office 365, SendGrid, and Twilio. 

This botnet malware, “Androxgh0st,” also misuses SMTP for scanning, exploiting credentials and APIs, and deploying web shells on compromised targeted systems.

To scan for websites with vulnerabilities, Androxgh0st malware uses scripts by exploiting CVE-2017-9841 to run PHP code remotely via PHPUnit.

It targets /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI on websites with exposed /vendor folders, which allows threat actors to execute code. 

Not only that, but this malware also enables downloading malicious files, setting up fake pages for backdoor access, and accessing databases in cyber operations.

The malware targets the .env files for credentials, and to scan Laravel web applications, it forms a botnet.

Threat actors issue GET/POST requests to /.env URI by searching for usernames, passwords, and more. In debug mode, they use a POST variable (0x[]) as an identifier. 

If successful, they access email, AWS credentials, and the Laravel application key. 

Besides this, by exploiting CVE-2018-15133, they encrypt PHP code to pass…

Source…