Androxgh0st malware hackers creating large botnet, CISA and FBI warn

The hackers behind the Androxgh0st malware are creating a powerful botnet, U.S. cybersecurity agencies warned on Tuesday.

On Tuesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on the malware, saying multiple ongoing investigations have allowed them to assess the tactics used by the threat actors deploying it.

The malware dates back to December 2022, when researchers at Lacework said they saw it used in campaigns to steal a wide variety of credentials.

The agencies said they have observed Androxgh0st malware establishing a botnet “for victim identification and exploitation in target networks.” The botnet searches for .env files, which are commonly sought by threat actors because they store credentials and tokens.

The credentials are from “high profile applications,” like Amazon Web Services, Microsoft Office 365, SendGrid and Twilio, the agencies said.

“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” they said.

The malware is used as part of an effort to scan and search for websites with specific vulnerabilities. Hackers behind the campaign “likely use Androxgh0st to download malicious files to the system hosting the website,” the agencies explained.

The malware also searches for websites using the Laravel framework — a tool used for the development of web applications. Once the botnet finds websites using Laravel, hackers try to determine if certain files are exposed and contain credentials.

The advisory notes that Laravel is affected by CVE-2018-15133 — a vulnerability used by the botnet to access usernames, passwords, and other credentials for services like email (via SMTP) and AWS accounts. SMTP is used by mail servers to send, receive, and relay outgoing email between senders and receivers.

CISA added the vulnerability to its catalog of Known Exploited Vulnerabilities on Tuesday. Federal civilian agencies have until February 6 to patch it.

“If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations,” the agencies said.

“For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity.”

Cybersecurity expert John Smith said AndroxGh0st is another example of the growing threats to cloud infrastructure.

The malware is used for cryptojacking, spamming, or malicious email campaigns and exploits unpatched vulnerabilities in web applications to move laterally and maintain persistence by creating accounts and elevating permissions.

Smith noted that because AndroxGh0st is exploiting exposed .env files and unpatched vulnerabilities, users are advised to inspect and monitor cloud environments regularly for any exposures and have a very aggressive policy for out-of-band patching.

“We also advise that an ounce of prevention is worth a pound of cure,” he said. “The cloud is most definitely not ‘set and forget’; it must be assertively secured and re-secured like any other part of the security estate.”

Several other experts called AndroxGh0st “noisy” because of the trail of evidence it leaves behind and because it is scanning for easily compromised systems.

Qualys’ Ken Dunham noted that Fortinet reports around 40,000 compromised hosts as part of the botnet. Dunham added that the botnet is “growing as it attacks targets around the world that are misconfigured and vulnerable to attack.”