The US cybersecurity agency CISA and the FBI have issued a joint advisory warning about the Androxgh0st malware creating a botnet to identify and target vulnerable networks.
Written in Python, the agencies said the malware primarily targets.
Env files containing sensitive information, including credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.
The threat can also abuse the Simple Mail Transfer Protocol for scanning, exploitation of stolen credentials and APIs, and web shell deployment, CISA and the FBI note.
According to the advisory, cybercriminals behind the Androxgh0st operation were also observed using scripts to scan for websites plagued by specific vulnerabilities, including CVE-2017-9841, a PHPUnit bug leading to PHP code execution via HTTP POST requests.
The attacks target websites that have the /vendor folders exposed to the internet.
The advisory said the Androxgh0st botnet scans for websites using the Laravel framework, looking for exposed root-level.
Env files that contain credentials for additional services.
The malware operators then issue requests to retrieve the sensitive information stored in those files.
As part of this activity, the threat actors exploit CVE-2018-15133, a deserialization of untrusted data that allows them to upload files to the vulnerable websites.
CISA added the security defect to its Known Exploited Vulnerabilities catalog on Tuesday.
The Androxgh0st operators also target CVE-2021-41773, a path traversal in Apache HTTP Server versions 2.4.49 and 2.4.50 leading to remote code execution.
The agencies released indicators of compromise associated with the Androxgh0st malware operations, as well as recommended mitigations, urging organizations to apply them as soon as possible.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 17 Jan 2024 17:13:05 +0000