
Unleash AndroxGh0st: Master the Art of Python Malware for Dominance Over AWS and Microsoft 365 Accounts
The AndroxGh0st malware is written in Python and usually targets Simple Mail Transfer Protocol (SMTP) to enable spamming. AndroxGh0st specifically targets cloud environments — in particular, AWS secrets — and exploits vulnerabilities in web applications running in the cloud to maintain a foothold.
Indicators of Compromise
Domains (5)
mc.rockylinux.sidownload.asyncfox.xyzmain.dsn.ovhchainventures.co.ukeval-stdin.php.devHashes (16)
9039ae16e5aaa63d9ffe88dfaf0f5108bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b77d1beb03c32db43f5edd4c28f3c905954e40dbd623fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee06695f745a5db131b1ca34e44848fd52edb6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef5fae94432540ade68eabce94140c9a5be153b3c859ce7486745b08d1adba49f2413133c441194986452ec481734a78597b928e29c834d0e43fb2c7e2dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d721fb78440dc44b0900b27260a16d9771ede1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1bac1070aca9fcff4a32934e6c8aee4ea4859e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4IPv4 (2)
45.95.147.236200.172.238.135CVEs (3)
CVE-2021-41773CVE-2018-15133CVE-2017-9841Notes
<div><b>Conclusion:</b></div><div>The emergence of AndroxGh0st is a stark reminder of the ever-evolving landscape of cyber threats. SOCRadar remains committed to providing advanced solutions and actionable intelligence to safeguard against such sophisticated cyber attacks. Through continuous monitoring, in-depth analysis, and proactive measures, we empower organizations to secure their digital environments against complex and emerging threats.</div><div><br></div>
Mitigation
<div><b>MITRE ATT&CK TACTICS AND TECHNIQUES</b></div><div><b><br></b></div> Active Scanning: Vulnerability Scanning<br> Technique Title: Active Scanning: Vulnerability Scanning<br> ID: T1595.002<br> Use: The threat actor scans websites for specific vulnerabilities to exploit.<br><br> Acquire Infrastructure: Botnet<br> Technique Title: Acquire Infrastructure: Botnet<br> ID: T1583.005<br> Use: The threat actor establishes a botnet to identify and exploit victims.<br><br> Acquire Infrastructure: Web Services<br> Technique Title: Acquire Infrastructure: Web Services<br> ID: T1583.006<br> Use: The threat actor creates new AWS instances to use for scanning.<br><br> Exploit Public-Facing Application<br> Technique Title: Exploit Public-Facing Application<br> ID: T1190<br> Use: The threat actor exploits CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit.<br><br> Command and Scripting Interpreter: Python<br> Technique Title: Command and Scripting Interpreter: Python<br> ID: T1059.006<br> Use: The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files.<br><br> Valid Accounts<br> Technique Title: Valid Accounts<br> ID: T1078<br> Use: The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials.<br><br> Server Software Component: Web Shell<br> Technique Title: Server Software Component: Web Shell<br> ID: T1505.003<br> Use: The threat actor deploys web shells to maintain persistent access to systems.<br><br> Create Account<br> Technique Title: Create Account<br> ID: T1136<br> Use: The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website.<br><br> Obfuscated Files or Information: Command Obfuscation<br> Technique Title: Obfuscated Files or Information: Command Obfuscation<br> ID: T1027.010<br> Use: The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.<br><br> Credential Access<br> Technique Title: Credential Access<br> ID: TA0006<br> Use: The threat actor can access the application key of the Laravel application on the site.<br><br> File and Directory Discovery<br> Technique Title: File and Directory Discovery<br> ID: T1083<br> Use: The threat actor can identify URLs for files outside the root directory through a path traversal attack.<br><br> Network Service Discovery<br> Technique Title: Network Service Discovery<br> ID: T1046<br> Use: The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning.<br><br> Email Collection<br> Technique Title: Email Collection<br> ID: T1114<br> Use: The threat actor interacts with application programming interfaces (APIs) to gather information.<br><br> Ingress Tool Transfer<br> Technique Title: Ingress Tool Transfer<br> ID: T1105<br> Use: The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.<br>