SOC Incident Toolkit
Back to Campaigns
Unleash AndroxGh0st: Master the Art of Python Malware for Dominance Over AWS and Microsoft 365 Accounts

Unleash AndroxGh0st: Master the Art of Python Malware for Dominance Over AWS and Microsoft 365 Accounts

AndroxGh0stAWSsecurityPythonMalwareCyberDominanceDataProtection

The AndroxGh0st malware is written in Python and usually targets Simple Mail Transfer Protocol (SMTP) to enable spamming. AndroxGh0st specifically targets cloud environments — in particular, AWS secrets — and exploits vulnerabilities in web applications running in the cloud to maintain a foothold.

Indicators of Compromise

Domains (5)

mc.rockylinux.sidownload.asyncfox.xyzmain.dsn.ovhchainventures.co.ukeval-stdin.php.dev

Hashes (16)

9039ae16e5aaa63d9ffe88dfaf0f5108bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b77d1beb03c32db43f5edd4c28f3c905954e40dbd623fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee06695f745a5db131b1ca34e44848fd52edb6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef5fae94432540ade68eabce94140c9a5be153b3c859ce7486745b08d1adba49f2413133c441194986452ec481734a78597b928e29c834d0e43fb2c7e2dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d721fb78440dc44b0900b27260a16d9771ede1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1bac1070aca9fcff4a32934e6c8aee4ea4859e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4

IPv4 (2)

45.95.147.236200.172.238.135

CVEs (3)

CVE-2021-41773CVE-2018-15133CVE-2017-9841

Notes

<div><b>Conclusion:</b></div><div>The emergence of AndroxGh0st is a stark reminder of the ever-evolving landscape of cyber threats. SOCRadar remains committed to providing advanced solutions and actionable intelligence to safeguard against such sophisticated cyber attacks. Through continuous monitoring, in-depth analysis, and proactive measures, we empower organizations to secure their digital environments against complex and emerging threats.</div><div><br></div>

Mitigation

<div><b>MITRE ATT&amp;CK TACTICS AND TECHNIQUES</b></div><div><b><br></b></div>&nbsp;&nbsp;&nbsp; Active Scanning: Vulnerability Scanning<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Active Scanning: Vulnerability Scanning<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1595.002<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor scans websites for specific vulnerabilities to exploit.<br><br>&nbsp;&nbsp;&nbsp; Acquire Infrastructure: Botnet<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Acquire Infrastructure: Botnet<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1583.005<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor establishes a botnet to identify and exploit victims.<br><br>&nbsp;&nbsp;&nbsp; Acquire Infrastructure: Web Services<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Acquire Infrastructure: Web Services<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1583.006<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor creates new AWS instances to use for scanning.<br><br>&nbsp;&nbsp;&nbsp; Exploit Public-Facing Application<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Exploit Public-Facing Application<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1190<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor exploits CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit.<br><br>&nbsp;&nbsp;&nbsp; Command and Scripting Interpreter: Python<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Command and Scripting Interpreter: Python<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1059.006<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files.<br><br>&nbsp;&nbsp;&nbsp; Valid Accounts<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Valid Accounts<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1078<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials.<br><br>&nbsp;&nbsp;&nbsp; Server Software Component: Web Shell<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Server Software Component: Web Shell<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1505.003<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor deploys web shells to maintain persistent access to systems.<br><br>&nbsp;&nbsp;&nbsp; Create Account<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Create Account<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1136<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website.<br><br>&nbsp;&nbsp;&nbsp; Obfuscated Files or Information: Command Obfuscation<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Obfuscated Files or Information: Command Obfuscation<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1027.010<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.<br><br>&nbsp;&nbsp;&nbsp; Credential Access<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Credential Access<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: TA0006<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor can access the application key of the Laravel application on the site.<br><br>&nbsp;&nbsp;&nbsp; File and Directory Discovery<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: File and Directory Discovery<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1083<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor can identify URLs for files outside the root directory through a path traversal attack.<br><br>&nbsp;&nbsp;&nbsp; Network Service Discovery<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Network Service Discovery<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1046<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning.<br><br>&nbsp;&nbsp;&nbsp; Email Collection<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Email Collection<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1114<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor interacts with application programming interfaces (APIs) to gather information.<br><br>&nbsp;&nbsp;&nbsp; Ingress Tool Transfer<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Technique Title: Ingress Tool Transfer<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ID: T1105<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Use: The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.<br>