The US government has urged organizations to take action to protect against Androxgh0st malware, which is used by threat actors for victim identification and exploitation in target networks.
A joint advisory by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) dated January 16, 2024 warned that Androxgh0st supports numerous nefarious activities in breached networks.
The Python-scripted malware has been observed establishing a botnet for victim identification and exploitation. It primarily targets .env files containing confidential information, such as credentials, in high-profile applications like Amazon Web Services, MS Office 365 and SendGrid.
The advisory noted that Androxgh0st malware supports various functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs).
How Androxgh0st Attackers Compromise Targets
The FBI and CISA highlighted three specific vulnerabilities being exploited by threat actors in deploying Androxgh0st, which could lead to remote code execution:
- CVE-2017-9841: Attackers are remotely running hypertext preprocessor (PHP) code on fallible websites via PHPUnit. This subjects websites using the PHPUnit module that have internet-accessible folders to malicious HTTP POST requests. Once the threat actor remotely executes code, Androxgh0st is used to download malicious files to the system hosting the website.
- CVE-2018-15133: Remote code execution may occur in the Lavarel web application framework as a result of an unserialized call on a potentially untrusted X-XSRF-TOKEN value. This can allow threat actors to upload files to the website via remote access. The Androxgh0st malware is used to establish a botnet to identify websites using the Lavarel framework.
- CVE-2021-41773: Attackers have been observed scanning vulnerable web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 to obtain credentials to access sensitive data. In this vulnerability, if these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.
These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities Catalog.
The advisory said the following requests are indicators of compromise associated with Androxgh0st activity:
- Incoming GET and POST requests to the URIs /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php and /.env
- Incoming POST requests with the following strings: [0x[]=androxgh0st] and ImmutableMultiDict([('0x[]', 'androxgh0st')])
How to Defend Against Androxgh0st Attacks
Organizations are advised to implement the following mitigations to protect themselves against the threat posed by Androxgh0st.
- Keep all operating systems, software and firmware up to date. The advisory urged organizations to ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
- Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
- Ensure that any live Laravel applications are not in “debug” or testing mode. This includes removing all cloud credentials from .env files and revoking them.
- Review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
- Scan the server’s file system for unrecognized PHP files.
- Review outgoing GET requests to file hosting sites such as GitHub and pastebin.
- Validate your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework.
- Report any suspicious or criminal activity to your local FBI field office.
Commenting on the advisory, John A. Smith, CEO at Conversant Group noted that the malware primarily targets cloud environments, such as AWS, showing that this environment remains a big target for cybercriminals.
"Because AndroxGh0st is exploiting exposed .env files and unpatched vulnerabilities, it is well-advised to always inspect and monitor cloud environments regularly for any exposures and have a very aggressive policy for out-of-band patching. The cloud is most definitely not “set and forget”; it must be assertively secured and re-secured like any other part of the security estate," he advised.