AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials
21.3.24  Virus  The Hacker News

Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st that's used to target Laravel applications and steal sensitive data.

"It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio," Juniper Threat Labs researcher Kashinath T Pattan said.

"Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment, and vulnerability scanning."

AndroxGh0st has been detected in the wild since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio.

Attack chains involving the Python malware are known to exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence.

Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."

"Androxgh0st first gains entry through a weakness in Apache, identified as CVE-2021-41773, allowing it to access vulnerable systems," Pattan explained.

"Following this, it exploits additional vulnerabilities, specifically CVE-2017-9841 and CVE-2018-15133, to execute code and establish persistent control, essentially taking over the targeted systems."

Androxgh0st is designed to exfiltrate sensitive data from various sources, including .env files, databases, and cloud credentials. This allows threat actors to deliver additional payloads to compromised systems.

Juniper Threat Labs said it has observed an uptick in activity related to the exploitation of CVE-2017-9841, making it essential that users move quickly to update their instances to the latest version.


A majority of the attack attempts targeting its honeypot infrastructure originated from the U.S., U.K., China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia, and India, it added.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable WebLogic servers located in South Korea are being targeted by adversaries and used them as download servers to distribute a cryptocurrency miner called z0Miner and other tools like fast reverse proxy (FRP).

It also follows the discovery of a malicious campaign that infiltrates AWS instances to create over 6,000 EC2 instances within minutes and deploy a binary associated with a decentralized content delivery network (CDN) known as Meson Network.

The Singapore-based company, which aims to create the "world's largest bandwidth marketplace," works by allowing users to exchange their idle bandwidth and storage resources with Meson for tokens (i.e., rewards).

"This means miners will receive Meson tokens as a reward for providing servers to the Meson Network platform, and the reward will be calculated based on the amount of bandwidth and storage brought into the network," Sysdig said in a technical report published this month.

"It isn't all about mining cryptocurrency anymore. Services like Meson network want to leverage hard drive space and network bandwidth instead of CPU. While Meson may be a legitimate service, this shows that attackers are always on the lookout for new ways to make money."

With cloud environments increasingly becoming a lucrative target for threat actors, it is critical to keep software up to date and monitor for suspicious activity.

Threat intelligence firm Permiso has also released a tool called CloudGrappler, that's built on top of the foundations of cloudgrep and scans AWS and Azure for flagging malicious events related to well-known threat actors.