Penka Hristovska
Updated on: January 17, 2024

The hackers behind the Androxgh0st malware are creating a botnet capable of stealing cloud credentials from major platforms, US cyber agencies said on Tuesday.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory on the findings from the ongoing investigations about the strategies employed by the hackers using the malware.

This malware was first identified in December 2022 by Lacework Labs.

According to the agencies, the hackers are using the Androxgh0st to create a botnet “for victim identification and exploitation in target networks.” The botnet looks for .env files, which cybercriminals often target as they contain credentials and tokens. The agencies said these credentials are from “high profile applications,” like Microsoft Office 365, SendGrid, Amazon Web Services, and Twilio.

“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” the FBI and CISA explained.

The malware is used in campaigns aimed at identifying and targeting websites with particular vulnerabilities. The botnet uses the Laravel framework, a tool for developing web applications, to search for websites. Once it finds the websites, the hackers try to determine if certain files are accessible and whether they contain credentials.

CISA and FBI’s advisory points to a critical and long-since patched vulnerability in Laravel, identified as CVE-2018-15133, which the botnet exploits to access credentials, like usernames and passwords for services like email (using SMTP) and AWS accounts.

“If threat actors obtain credentials for any services … they may use these credentials to access sensitive data or use these services to conduct additional malicious operations,” the advisory reads.

“For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity,” the agencies explain.