FBI warns against cloud credential-stealing Androxgh0st botnet

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency (CISA) have published an urgent advisory about the Androxgh0st botnet, which is being used to steal cloud credentials from major platforms, including AWS, SendGrid, and Microsoft Office 365.

Initially identified by Lacework Labs in 2022, Androxgh0st is a Python-scripted malware designed to infiltrate and exploit vulnerabilities in various web frameworks and servers, primarily targeting .env files that store sensitive cloud credentials.

Androxgh0st scans for websites and servers using older versions of PHPUnit, PHP web frameworks, and Apache web servers that have known remote code execution (RCE) vulnerabilities.

About 68% of Androxgh0st malware’s SMTP abuses originate from Windows systems, with 87% of attacks executed through Python, according to Lacework Labs’ analysis.

A tell-tale sign of the malware is unusual web requests to specific server locations, CISA said.

Once it identifies a vulnerable system, Androxgh0st extracts credentials from .env files, which often contain access keys for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio.

The malware can also self-replicate by using the compromised AWS credentials to create new users and instances, allowing it to expand its reach and scan for more vulnerable targets across the internet.

CISA and the FBI have encouraged service providers to update their versions of Apache, regularly review cloud credentials stored in .env files, and set up servers to auto-reject any requests to access resources unless specifically authorized.

According to experts, the prevalent issue of poor patch management in organizations, and the number of servers running outdated software is the reason behind the rapid spread of this malware.

At its peak in early January, there were nearly 50,000 devices infected but that number has dropped to around 9300, data from Fortiguard showed.

How attackers use Androxgh0st to steal data

Aside from stealing credentials to launch spam campaigns, attackers can use the credentials to harvest personally identifiable information (PII) from services.

The crypto industry, for example, has been hit particularly hard with this sort of attack, with the bad actors not targeting digital assets — stored in segregated offline wallets — but rather the users’ PII stored in third-party services like SendGrid and Twilio.

Bad actors compiling this data can use it to build dossiers known as “fullz,” which contain all the personal information required to steal an identity and open credit lines, sold on darknet markets, or use it to engage in sophisticated phishing attacks, which use the stolen data to build a believable narrative.

Botnets, Malware

Go to Source