FBI, CISA Warn Against Credential-Stealing Androxgh0st Botnet

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

The hackers behind the Androxgh0st malware are creating a botnet capable of stealing cloud credentials from major platforms, US cyber agencies said on Tuesday.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory on the findings from the ongoing investigations about the strategies employed by the hackers using the malware.

This malware was first identified in December 2022 by Lacework Labs.

According to the agencies, the hackers are using the Androxgh0st to create a botnet “for victim identification and exploitation in target networks.” The botnet looks for .env files, which cybercriminals often target as they contain credentials and tokens. The agencies said these credentials are from “high profile applications,” like Microsoft Office 365, SendGrid, Amazon Web Services, and Twilio.

“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” the FBI and CISA explained.

The malware is used in campaigns aimed at identifying and targeting websites with particular vulnerabilities. The botnet uses the Laravel framework, a tool for developing web applications, to search for websites. Once it finds the websites, the hackers try to determine if certain files are accessible and whether they contain credentials.

CISA and FBI’s advisory points to a critical and long-since patched vulnerability in Laravel, identified as CVE-2018-15133, which the botnet exploits to access credentials, like usernames and passwords for services like email (using SMTP) and AWS accounts.

“If threat actors obtain credentials for any services … they may use these credentials to access sensitive data or use these services to conduct additional malicious operations,” the advisory reads.

“For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity,” the agencies explain.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment