Thursday, December 5, 2024
HomeCyber Security NewsAndroxgh0st Exploits SMTP Services To Extract Critical Data

Androxgh0st Exploits SMTP Services To Extract Critical Data

Published on

SIEM as a Service

AndroxGh0st is a malware that specifically targets Laravel applications. The malware scans and extracts login credentials linked to AWS and Twilio from .env files.

AndroxGh0st was previously classified as an SMTP cracker since it exploits SMTP using various strategies such as credential exploitation, web shell deployment and vulnerability scanning.

However, the main goal of the malware is to compromise the hosts and extract critical data from Laravel applications. Malware has an adaptive nature and many other capabilities.

- Advertisement - SIEM as a Service

Androxgh0st Exploits SMTP

According to Juniper’s reports, the malware comes with menu options that highlight all its functionalities and features.

There are several options available on the malware such as awslimitcheck, sengridcheck, twilio_sender, exploit and many others.

These options have different usages and capabilities.

Menu options (Source: Juniper)

The “awslimitcheck” can be used to check AWS account limits and other information on email-sending quotas.

The sendgridcheck option is designed to check and report essential details about a SendGrid API key.

This API key can further be used to gather details such as total email credits, used credits, and the ‘Mail from’ address associated with the SendGrid account”.

The Twilio_sender function can be used to send SMS messages via the Twilio API and also checks the Twilio account status and balance and for sending a test SMS to a predefined number.

The exploit function is used to target PHP unit testing framework for executing an arbitrary PHP code by sending a crafted POST request to a specific URI.

Moreover, the malware also exploits three critical vulnerabilities associated with Laravel web applications.

The CVEs for these vulnerabilities were CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. 

Attack Flow (Source: Juniper)

The attack chain starts with entering the vulnerable system using the CVE-2021-41773 which is a weakness in Apache.

Following this, the malware exploits CVE-2017-9841 and CVE-2018-15133 for executing code and establishing persistent control on the targeted system. 

Challenges For An Attacker

Though this malware provides these different functions for different usage, there are still many challenges for a threat actor to perform these actions on the targeted systems.

The awslimitcheck function requires valid AWS credentials, Boto3 library and proper configuration of the AWS SES (Simple Email Service) for successful execution.

The sendgridcheck function requires a valid SendGrid API key. Additionally, the API key must also have necessary permission to retrieve required information.

The twilio_sender option requires a valid Twilio account, Auth token and a Twilio phone number with sufficient balance for extracting information and sending SMS.

The exploit option requires the presence of the PHPUnit vulnerability in the target system for successful exploitation.

Additionally, the threat actor must also have knowledge about the vulnerable URI and must craft a payload to bypass any security measures that are in place. 

Moreover, the validation of successful exploitation requires access to server logs and other monitoring mechanisms.

If the malware is successful in compromising the systems with CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773, there are possibilities for data breaches and network disruptions.

Logs from .env request (Source: Juniper)

Indicators Of Compromise

File Samples

  • f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 – AndroxGhost python sample
  • 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a – AndroxGhost python sample

Linux Miners

  • 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066 – Linux Miner dropped
  • 6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc – Linux Miner dropped
  • bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7 – Linux miner dropped

PHP Webshell

  • ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72 – PHP Webshell
  • 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef – PHP Webshell

TOP IP – Attack Originated From

  • 103.121.39[.]54
  • 185.16.39[.]37
  • 155.138.245[.]246
  • 149.50.102[.]48
  • 45.143.200[.]14
  • 45.135.232[.]19
  • 45.129.14[.]224
  • 91.92.245[.]67
  • 64.225.6[.]114
  • 122.189.200[.]188
  • 66.135.11[.]147
  • 155.248.212[.]175
  • 118.31.17[.]168
  • 45.135.232[.]28
  • 77.90.185[.]106
  • 194.26.135[.]68
  • 218.107.208[.]71
  • 172.98.33[.]153
  • 5.255.115[.]40
  • 45.134.26[.]85
  • 180.101.88[.]225
  • 180.101.88[.]237
  • 80.66.76[.]80
  • 83.97.73[.]76
  • 91.240.118[.]221
  • 91.240.118[.]228
  • 109.123.229[.]56
  • 213.109.202[.]210
  • 213.109.202[.]145
  • 180.101.88[.]230
  • 180.101.88[.]220
  • 103.96.40[.]38
  • 128.199.237[.]61
  • 173.199.117[.]55
  • 62.20441[.]80
  • 77.83.36[.]40
  • 103.255.191[.]43
  • 213.109[.]202.167
  • 141[.]98.11.107
  • 162.0[.]234.118
  • 91.240.118[.]224
  • 185.248[.]2476
  • 185.161.248[.]148
  • 38.175.192[.]78
  • 176.113.115[.]220
  • 77.90.185[.]102
  • 80.66.66[.]225
  • 200.54.189[.]98
  • 185.234.216[.]125
  • 176.113.115[.]184 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host...

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Attackers are exploiting publicly exposed Docker Remote API servers to deploy Gafgyt malware by...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host...