The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have shared tactics, techniques, and procedures (TTPs) along with Indicators of Compromise associated with threat actors behind the Androxgh0st malware.
Androxgh0st is a Python-based malware primarily used to target .env files that contain confidential information, such as credentials for various high-profile applications like Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework. The malware has been observed building a botnet for credential theft.
Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data, including AWS, SendGrid and Twilio.
“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” the two agencies wrote in a joint security alert.
Androxgh0st targets servers and websites vulnerable to a number of security vulnerabilities that could lead to remote code execution, including CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).
“If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations,” the agencies said.
The advisory recommends the following steps to prevent Androxgh0st attacks:
-
Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
-
Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
-
Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
-
On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
-
Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
-
Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, Pastebin, etc., particularly when the request accesses a .php file.