AlienFox Toolkit Targets Cloud Web Hosting Frameworks to Steal Credentials

Cybercriminals are using a new toolkit called AlienFox to steal login credentials and sensitive data from cloud-based email services by scanning for misconfigured servers. The toolkit is available for purchase through a private Telegram channel.

Reports indicate that the malware targets at least 18 cloud services, including well-known web hosting frameworks like Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.

The malware can steal API keys, OAuth tokens, and other authentication tokens once it identifies a vulnerable server.

The AlienFox toolkit has been classified as a cloud spammer’s Swiss army knife, and it is believed to have been developed by a group of cybercriminals operating in Eastern Europe.

The Three Versions of AlienFox

Researchers have uncovered three versions of AlienFox so far: v2, v3, and v4. With each version, the toolkit enhances its capabilities. Based on SentinelOne’s analysis, the versions are detailed below:

AlienFox v2, the toolkit’s first known version, extracts credentials from web server configuration or environment files. The s3lr.py script contains the core utility.

Other scripts included are awses.py and ssh-smtp.py. The awses.py script automates activities such as sending/receiving messages and elevating a privilege persistence profile on AWS SES (Simple Email Services) by utilizing the AWS SDK Boto3 Python client. The second script validates SSH configurations on the webserver to find vulnerabilities, and it potentially tries to exploit CVE-2022-31279, a rejected vulnerability in the Laravel PHP framework.

AlienFox v3 has four variations under it, created between February and April 2022. This version includes a Lar.py script, which extracts keys and secrets from compromised Laravel .env files. The script then logs that information to a text file, along with additional information about the server and tags to indicate whether the data was obtained using a configuration parser or a regular expression.

AlienFox v4, the latest version, differs from the previous ones in that each tool is assigned a numerical identifier. The ALIENFOXV4.py script in the root directory acts as a bootstrap for the tool scripts.

Tools 5, 6, 7, and 8 collect target lists. The other tools check if the targets are misconfigured or have a security vulnerability, and they improve the overall functionality of the AlienFox toolkit. There is again a script to focus on AWS and SES. Another tool in version 4 uses the cms.py script to check sites for the presence of web hosting frameworks. There are also cryptocurrency wallet crackers for Bitcoin and Ethereum, as well as an Amazon account checker tool.

Secure Your Cloud Storage with SOCRadar’s Cloud Security Module

Organizations should monitor interactions with their cloud services and adhere to the least privilege principle. Following best practices for cloud configuration management and monitoring the condition of cloud environments are also essential.

SOCRadar’s Cloud Security Module (CSM) has been developed to enhance the security of customers’ cloud storages.

The module can detect the status of cloud buckets, whether they are “public,” “private,” or “protected,” and users are alerted with a “Cloud Bucket Detected” message when new storage is discovered.