.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On January 16, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Androxgh0st malware [1]. Androxgh0st malware targets .env files that contain confidential data for cloud services such as AWS, Office 365, SendGrid, and Twilio to establish a botnet. The malware also exploits known but critical vulnerabilities to abuse their target's web applications.
In this blog, we explained the vulnerabilities used by Androxgh0st malware and how organizations can defend themselves against Androxgh0st malware attacks.
Androxgh0st Malware
Androxgh0st malware was first observed in late April 2022 and designed to extract confidential information from exposed Laravel .env files. Many cloud services such as AWS, Office 365, SendGrid, and Twilio use the Laravel .env files as a repository for environment variables, which are key-value pairs that store sensitive or configuration-specific information. Additionally, adversaries use the Androxgh0st malware for scanning, deploying webshells, and exploiting exposed credentials and APIs.
Androxgh0st malware often targets vulnerable web services and abuses known vulnerabilities like PHPUnit CVE-2017-9841, Laravel CVE-2018-15133, and Apache CVE-2021-41773 vulnerabilities.
PHPUnit CVE-2017-9841 Vulnerability
As an initial access vector, Androxgh0st threat actors abuse the PHPUnit CVE-2017-9841 vulnerability. This vulnerability allows adversaries to execute arbitrary commands in the target web service by sending malicious HTTP POST requests to the PHPUnit.
|
curl --data "<?php <malicious_payload>;" http://localhost:8888/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php |
Example 1: PoC Exploit for PHPUnit CVE-2017-9841 RCE Vulnerability
After initial access, adversaries deploy the Androxgh0st malware to download additional malware and backdoors to the compromised network. Organizations are advised to patch their vulnerable PHPUnit modules as soon as possible.
Laravel Framework CVE-2018-15133 Vulnerability
As another initial access vector, adversaries utilize a botnet to scan for websites that use the Laravel web application framework and look for a publicly exposed root-level .env file. Since .env files are commonly used to store credentials and access tokens, adversaries aim to extract sensitive information from these files to access user's email and AWS accounts.
Moreover, Androxgh0st threat actors abuse the Laravel CVE-2018-15133 vulnerability for remote code execution. The vulnerability allows adversaries to execute arbitrary commands remotely using XSRF token values. Adversaries exploit this vulnerability by encrypting their malicious PHP payload with the Laravel application key and crafting an HTTP GET request with the payload as an XSRF token cookie.
Organizations are advised to ensure their live Laravel applications are not in debug or testing mode. Also, all cloud credentials should be removed from .env files and revoked.
Apache CVE-2021-41773 Vulnerability
Androxgh0st threat actors are also observed to scan for web servers running Apache versions 2.4.49 or 2.4.50. These two versions are vulnerable to the CVE-2021-41773 path traversal vulnerability, and adversaries use this vulnerability to obtain credentials and execute code remotely.
|
http://$host/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd |
Example 2: PoC Exploit for Apache CVE-2021-41773 RCE Vulnerability
Organizations are advised to patch their vulnerable Apache servers as soon as possible. For more detailed information, you can check our blog post on Apache CVE-2021-41773 vulnerability.
How Picus Helps Simulate Androxgh0st Malware Attacks?
We also strongly suggest simulating Androxgh0st malware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other malware variants, such as AveMaria, DarkGate, and PikaBot, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Androxgh0st malware:
|
Threat ID |
Threat Name |
Attack Module |
|
34321 |
AndroxGh0st Hacking Tool Download Threat |
Network Infiltration |
|
63450 |
AndroxGh0st Hacking Tool Email Threat |
Email Infiltration (Phishing) |
Androxgh0st threat actors also use other tools and vulnerabilities in their attack campaigns. Picus Threat Library includes the following threats for other tools and vulnerabilities used by Androxgh0st threat actors:
|
Threat ID |
Threat Name |
Attack Module |
|
96436 |
PHPUnit Web Attack Campaign |
Web Application |
|
27843 |
Apache Http Server Web Attack Campaign |
Web Application |
|
26651 |
XMRig Cryptocurrency Miner Download Threat |
Network Infiltration |
|
35672 |
XMRig Cryptocurrency Miner Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Androxgh0st malware and other malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Androxgh0st malware:
|
Security Control |
Signature ID |
Signature Name |
|
Cisco FirePower |
Auto.6B5846.262458.in02 |
|
|
Forcepoint NGFW |
|
File_Malware-Blocked |
|
Forcepoint NGFW |
File-Text_Php-Script-External-Command-Execution-Download |
|
|
Fortigate AV |
10121814 |
Python/AndroxGhost.HACK!tr |
|
Fortigate AV |
7605865 |
Adware/Miner |
|
Palo Alto |
624459756 |
Virus/Linux.WGeneric.eeebqf |
|
Palo Alto |
624460302 |
Virus/Linux.WGeneric.eeebss |
|
Snort |
1.45548.2 |
FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] "Known Indicators of Compromise Associated with Androxgh0st Malware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a. [Accessed: Jan. 17, 2024]
