The US cybersecurity agency CISA and the FBI have issued a joint advisory warning about the Androxgh0st malware creating a botnet to identify and target vulnerable networks.
Written in Python, the agencies said the malware primarily targets .env files containing sensitive information, including credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.
The threat can also abuse the Simple Mail Transfer Protocol (SMTP) for scanning, exploitation of stolen credentials and APIs, and web shell deployment, CISA and the FBI note.
According to the advisory, cybercriminals behind the Androxgh0st operation were also observed using scripts to scan for websites plagued by specific vulnerabilities, including CVE-2017-9841, a PHPUnit bug leading to PHP code execution via HTTP POST requests. The attacks target websites that have the /vendor folders exposed to the internet.
“Malicious actors likely use Androxgh0st to download malicious files to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases,” according to the CISA/FBI alert .
The advisory said the Androxgh0st botnet scans for websites using the Laravel framework, looking for exposed root-level .env files that contain credentials for additional services. The malware operators then issue requests to retrieve the sensitive information stored in those files.
“Androxgh0st malware can also access the application key for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code.”
As part of this activity, the threat actors exploit CVE-2018-15133, a deserialization of untrusted data that allows them to upload files to the vulnerable websites. CISA added the security defect to its Known Exploited Vulnerabilities catalog on Tuesday.
The Androxgh0st operators also target CVE-2021-41773, a path traversal in Apache HTTP Server versions 2.4.49 and 2.4.50 leading to remote code execution.
“If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations.”
The agencies released indicators of compromise (IoCs) associated with the Androxgh0st malware operations, as well as recommended mitigations, urging organizations to apply them as soon as possible.