The US government, in collaboration with the FBI and CISA, has issued a joint advisory warning about the Androxgh0st malware [1]. This malware is capable of establishing a botnet and targeting vulnerable networks [3], specifically systems like the Laravel Framework and Apache Web Server [4].
Description
The Androxgh0st malware [1] [2] [3] [4] [5] [6], written in Python, exploits vulnerabilities in systems like the Laravel Framework and Apache Web Server. Hackers use these vulnerabilities, such as CVE-2018-15133 in Laravel, to gain remote code execution and steal credentials from exposed env files [4]. Additionally, the malware utilizes CVE-2021-41773 to detect vulnerable web servers and execute remote code in Apache Web Server [4].
To identify and exploit victims [1], Androxgh0st abuses the Simple Mail Transfer Protocol (SMTP) and can scan and exploit exposed credentials and APIs [1]. Organizations are advised to take preventive measures by keeping their operating systems and software up to date, verifying default configurations [1], removing cloud credentials from env files [1] [2], reviewing platforms for unauthorized access [1], scanning for unrecognized PHP files [1], reviewing outgoing GET requests [1], and validating security programs [1]. Regular inspection and monitoring of cloud environments are also recommended, as the malware primarily targets these environments [1].
The Cybersecurity and Infrastructure Security Agency (CISA) recommends patching operating systems [4], software [1] [2] [4] [6], and firmware to defend against Androxgh0st. Specifically, CISA advises updating Apache servers running versions 2.4.49 or 2.4.50 and patching known vulnerabilities like CVE-2018-15133 and CVE-2021-41773. Vendors have already released patches for these vulnerabilities [4]. Prioritizing patching known exploited vulnerabilities in internet-facing systems is an efficient and cost-effective step to minimize cybersecurity threats [4].
To protect against Androxgh0st malware [1] [6], it is important to implement strong security measures [6], such as regularly updating software and using strong passwords [6]. The mitigation measures outlined in the joint Cybersecurity Advisory released by the FBI and CISA should be implemented to reduce the risk of cybersecurity incidents caused by Androxgh0st infections.
Conclusion
Hackers are using the Androxgh0st malware to steal credentials and launch spam campaigns [2], targeting Microsoft and AWS assets and building a dangerous botnet [2]. The malware exploits vulnerabilities [2], specifically targeting CVE-2017-9841 [2], CVE-2021-41773 [2] [4] [6], and CVE-2018-15133 [2] [4] [6], to compromise computers and servers [2]. It retrieves sensitive data [2], including login credentials for AWS and Microsoft assets [2], from env files [1] [2]. Androxgh0st can also abuse SMTP to check email account limits and mount phishing and spam campaigns [2]. Hackers can create fake pages on compromised websites to gain backdoor access to databases with sensitive information [2].
To mitigate the threat [2], the FBI and CISA recommend updating operating systems [2], software [1] [2] [4] [6], and firmware [2] [4], securing Apache servers [2] [4], configuring URIs to deny all requests [2], disabling debug or testing mode for Laravel applications [2], and not storing cloud credentials in env files [2]. It is crucial for organizations to take these steps to protect their systems and data from Androxgh0st infections.
References
[1] https://www.infosecurity-magazine.com/news/us-government-androxgh0st-malware/
[2] https://www.techradar.com/pro/security/fbi-warns-criminals-are-building-a-dangerous-new-botnet-and-its-after-your-microsoft-or-aws-logins-and-more
[3] https://www.cybersecurity-review.com/known-indicators-of-compromise-associated-with-androxgh0st-malware/
[4] https://heimdalsecurity.com/blog/androxgh0st-malware-iocs-and-ttps/
[5] https://executivegov.com/2024/01/cyber-advisory-details-indicators-of-compromise-from-androxgh0st-malware-attacks/
[6] https://csirt.cynet.ac.cy/latest-alerts/alerts/known-indicators-of-compromise-associated-with-androxgh0st-malware/
