HQ/EMEAFind out how we can help your business
A threat group uses an advanced malicious toolset called AlienFox to harvest sensitive information such as API keys, credentials, and authentication details from cloud environment providers and well-known services.
Several threat groups have used security scanning solutions, such as SecurityTrails and LeakIX, to discover poorly configured servers, including famous web frameworks. The actors’ primary targeted web frameworks are Laravel, Magento, Joomla, OpenCart, WordPress, Drupal, and Prestashop.
AlienFox also contains several compromised scripts that aggressively target cloud-based and SaaS email hosting services. Additionally, the toolset could target popular cloud services such as Zoho, Google, Workspace, Twilio, Aws, Zimbra, Nexmo, and Office 365.
AlienFox showed three variants since it started circulating the cybercriminal landscape last year.
According to investigations, the AlienFox toolset has three variants that contain malicious scripts that automate compromised operations using stolen information.
The scripts allowed its operators to establish persistence and escalate privileges in AWS accounts. They could also automate spam campaigns through infected services and charges.
The toolset initially appeared on Telegram, but threat actors could now acquire the tool on GitHub. Researchers claimed that malware families like GreenBot and Androxgh0st already use AlienFox scripts in their campaigns.
The first variant of AlienFox focused on web server configuration and environment archive exfiltration. Reports revealed that this variant sorts the files for credentials, examines them on the targeted server, and uses Python scripts to escalate privilege for establishing persistence.
The following variant includes exploiting a deserialisation flaw in Laravel PHP Framework. Moreover, the second variant automates keys and secrets extraction from infected Laravel infrastructure.
The latest variant is AlienFoxV4, which features initialisation variables, automated crypto wallet seeds for Bitcoin and Ethereum, Python classes with modular functions, and process threading.
Cybersecurity experts explained that the threat operators use the AlienFox toolset to target various cloud services. Moreover, the actors primarily target poorly configured or exposed cloud services. The concerning feature of this toolset is that it is still in active development, and its operators are trying to improve its code by adding new capabilities. Hence, AlienFox could pose a massive threat to the cloud service landscape.
