HQ/EMEAFind out how we can help your business
A couple of US-based federal law enforcement agencies have issued a joint advisory regarding the growing cyber threat of the Androxgh0st malware against organisations worldwide.
Based on reports, the malware operators strategically designed this malicious campaign to steal credentials from well-known apps, such as AWS, Microsoft 365, Twilio, and SendGrid. The advisory disclosed that the Androxgh0st malware is orchestrating attacks with a primary focus on Apache servers and websites that leverage the widely adopted Laravel Web application framework for initial access.
Authorities explained that the attackers exploit an old deserialisation vulnerability (CVE-2018-15133) that could allow them to scan for susceptible websites and servers, creating a gateway for deploying the malicious payload.
The Androxgh0st malware focuses on finding specific file types.
Once the malware operators successfully launch the Androxgh0st malware into a system, it primarily looks for .env files. This strategy allows the attackers to extract sensitive data such as usernames and passwords for email accounts and enterprise applications.
The stolen credentials then develop deceptive pages on compromised websites, providing threat actors with an elusive backdoor to deploy additional malicious tools or gain access to sensitive information databases.
The advisory further notes that there were events where attackers exploited flaws like the PHPUnit testing framework’s remote code execution flaw (CVE-2017-9841) and the Apache HTTP Server’s path traversal vulnerability (CVE-2021-41773) to make their attack scope broader.
Furthermore, the advisory also stated that the current campaign uses stolen AWS credentials to establish new users and user policies on vulnerable websites, highlighting the multifaceted nature of the Androxgh0st malware operation.
Moreover, the perpetrators also leverage stolen Twilio and SendGrid credentials to execute spam campaigns that impersonate breached companies, potentially causing reputational damage.
On the other hand, the agencies have released IOCs associated with the Androxgh0st malware operation, accompanied by recommended mitigation strategies to address this escalating threat. The situation’s urgency is apparent since CISA has already issued a directive to include the Laravel deserialisation vulnerability (CVE-2018-15133) in its Known Exploited Vulnerabilities (KEV) catalogue. The inclusion mandates federal agencies to secure their systems by February 6.
The increasing activity of the Androxgh0st malware is a reminder of the importance of proactive cybersecurity measures and constant vigilance to protect sensitive information from sophisticated malware and threat actors.
