Skip links

FBI: Beware of thieves building Androxgh0st botnets using stolen creds

Crooks are exploiting years-old vulnerabilities to deploy Androxgh0st malware and build a cloud-credential stealing botnet, according to the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

In a joint warning issued on Tuesday, the US government agencies said the Python-scripted malware primarily targets .env files that contain user credentials for AWS, Microsoft Office 365, SendGrid, and Twilio. After scanning and exploiting these stolen credentials, Androxgh0st can also be used to deploy web shells, remotely execute code, steal sensitive data, and even spin up new AWS users and instances, we’re told.

“For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies,” the Feds warn. “Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity.”

Miscreants deploying Androxgh0st like to use three old (and long-since patched) CVEs in these credential-stealing attacks: CVE-2017-9841, a command injection vulnerability in PHPUnit; CVE-2018-15133, an insecure deserialization bug in the Laravel web application framework that leads to remote code execution; and CVE-2021-41773, a path traversal vulnerability in Apache HTTP Server that also leads to remote code execution.

CVE-2017-9841 allows remote execution of PHP code through a malicious HTTP POST request and download of files to the system hosting the compromised website.

“Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website,” the authorities note. “This allows threat actors to download additional malicious files for their operations and access databases.”

The malware also scans for websites using the Laravel web application with .env files exposed, and then issues either a GET request to the /.env URI or a POST request to the same URI and attempts to steal credentials and tokens.

“A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts,” according to the FBI and CISA.

The third method, which exploits a vulnerability in web servers running Apache HTTP Server versions 2.4.49 or 2.4.50 to launch a path traversal attack, criminals scan for URLs that are not protected by the “request all denied” configuration and do not have Common Gateway Interface (CGI) scripts enabled. This allows for remote code execution attacks.

The government security alert includes a list of Androxgh0st indicators of compromise – which is worth a read. Additionally, the FBI and CISA suggest several mitigations to reduce your risk.

A specific tactic to reduce risk of being infected by Androxgh0st is to ensure Apache servers are not running versions 2.4.49 or 2.4.50, which are vulnerable to CVE-2021-41773.

Also: Verify that the default configuration for all URIs is to deny all requests unless there’s a legitimate reason for it to be accessible.

And on a one-time basis for previously stored cloud credentials, as well as regularly for other types of credentials that cannot be removed, review any platforms or services that list credentials in .env files, reviewing these for unauthorized use.

And, as ever, keep all OSes, software and firmware up to date. Always good advice but it’s seldom done in the real world. ®