FBI and CISA Report: Persistent Threats of Androxgh0st Malware
Malicious actors exploit vulnerabilities, known for several years, to deploy the Androxgh0st malware and create a botnet aimed at stealing cloud-based credentials. This has been reported by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) of the United States.
In a joint warning issued on January 16, the agencies stated that the Python-based malware primarily targets “.env” files containing credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.
Beyond scanning and exploiting stolen credentials, Androxgh0st can also be used for deploying web shells, executing remote code, pilfering sensitive data, and creating new users and AWS instances.
For instance, in the event of a successful compromise of AWS credentials on a vulnerable website, malefactors attempt to create new users and user policies. Operators of Androxgh0st have been observed creating new AWS instances to conduct additional scans.
The perpetrators behind the distribution of Androxgh0st favor three old vulnerabilities, for which patches have long been released: CVE-2017-9841 (a command injection vulnerability in PHPUnit), CVE-2018-15133 (an insecure deserialization vulnerability in the Laravel web application leading to remote code execution), and CVE-2021-41773 (a path traversal vulnerability in Apache HTTP Server, also leading to remote code execution).
CVE-2017-9841 allows remote execution of PHP code through a malicious HTTP POST request and downloading files onto the system hosting the compromised website. Malefactors can install a deceptive page to establish a “backdoor” to the site, enabling them to download additional malicious files and gain access to databases.
The malware also scans Laravel websites whose “.env” files are accessible, sending GET or POST requests to steal credentials and tokens.
The third method, exploiting a vulnerability in Apache HTTP Server versions 2.4.49 or 2.4.50, allows path traversal attacks. Malefactors scan URLs that are not protected by the “Request all denied” configuration and lack Common Gateway Interface (CGI) scripts, facilitating remote code execution attacks.
In the security alert published by the agencies, a list of indicators of Androxgh0st compromise is also provided. The FBI and CISA suggest several measures to mitigate the risk of infection.
One tactic is to ensure that Apache servers do not use vulnerable versions 2.4.49 or 2.4.50. It’s also crucial to verify that the default configuration for all URLs prohibits any requests unless there are legitimate reasons for access.
Furthermore, it’s recommended to regularly review platforms and services listing credentials in “.env” files, checking for unauthorized usage.
Lastly, as always, timely updating of operating systems, device firmware, and other software is recommended. However, as can be noted from the exploitation of well-known vulnerabilities, few apply this advice in practice.