Androxgh0st Exploits SMTP Services To Extract Critical Data

AndroxGh0st is a malware that specifically targets Laravel applications. The malware scans and extracts login credentials linked to AWS and Twilio from .env files.

AndroxGh0st was previously classified as an SMTP cracker since it exploits SMTP using various strategies such as credential exploitation, web shell deployment and vulnerability scanning.

However, the main goal of the malware is to compromise the hosts and extract critical data from Laravel applications. Malware has an adaptive nature and many other capabilities.

Androxgh0st Exploits SMTP

According to Juniper’s reports, the malware comes with menu options that highlight all its functionalities and features.

There are several options available on the malware such as awslimitcheck, sengridcheck, twilio_sender, exploit and many others.

These options have different usages and capabilities.

Menu options (Source: Juniper)

The “awslimitcheck” can be used to check AWS account limits and other information on email-sending quotas.

The sendgridcheck option is designed to check and report essential details about a SendGrid API key.

This API key can further be used to gather details such as total email credits, used credits, and the ‘Mail from’ address associated with the SendGrid account”.

The Twilio_sender function can be used to send SMS messages via the Twilio API and also checks the Twilio account status and balance and for sending a test SMS to a predefined number.

The exploit function is used to target PHP unit testing framework for executing an arbitrary PHP code by sending a crafted POST request to a specific URI.

Moreover, the malware also exploits three critical vulnerabilities associated with Laravel web applications.

The CVEs for these vulnerabilities were CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. 

Attack Flow (Source: Juniper)

The attack chain starts with entering the vulnerable system using the CVE-2021-41773 which is a weakness in Apache.

Following this, the malware exploits CVE-2017-9841 and CVE-2018-15133 for executing code and establishing persistent control on the targeted system. 

Challenges For An Attacker

Though this malware provides these different functions for different usage, there are still many challenges for a threat actor to perform these actions on the targeted systems.

The awslimitcheck function requires valid AWS credentials, Boto3 library and proper configuration of the AWS SES (Simple Email Service) for successful execution.

The sendgridcheck function requires a valid SendGrid API key. Additionally, the API key must also have necessary permission to retrieve required information.

The twilio_sender option requires a valid Twilio account, Auth token and a Twilio phone number with sufficient balance for extracting information and sending SMS.

The exploit option requires the presence of the PHPUnit vulnerability in the target system for successful exploitation.

Additionally, the threat actor must also have knowledge about the vulnerable URI and must craft a payload to bypass any security measures that are in place. 

Moreover, the validation of successful exploitation requires access to server logs and other monitoring mechanisms.

If the malware is successful in compromising the systems with CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773, there are possibilities for data breaches and network disruptions.

Logs from .env request (Source: Juniper)

Indicators Of Compromise

File Samples

  • f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 – AndroxGhost python sample
  • 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a – AndroxGhost python sample

Linux Miners

  • 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066 – Linux Miner dropped
  • 6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc – Linux Miner dropped
  • bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7 – Linux miner dropped

PHP Webshell

  • ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72 – PHP Webshell
  • 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef – PHP Webshell

TOP IP – Attack Originated From

  • 103.121.39[.]54
  • 185.16.39[.]37
  • 155.138.245[.]246
  • 149.50.102[.]48
  • 45.143.200[.]14
  • 45.135.232[.]19
  • 45.129.14[.]224
  • 91.92.245[.]67
  • 64.225.6[.]114
  • 122.189.200[.]188
  • 66.135.11[.]147
  • 155.248.212[.]175
  • 118.31.17[.]168
  • 45.135.232[.]28
  • 77.90.185[.]106
  • 194.26.135[.]68
  • 218.107.208[.]71
  • 172.98.33[.]153
  • 5.255.115[.]40
  • 45.134.26[.]85
  • 180.101.88[.]225
  • 180.101.88[.]237
  • 80.66.76[.]80
  • 83.97.73[.]76
  • 91.240.118[.]221
  • 91.240.118[.]228
  • 109.123.229[.]56
  • 213.109.202[.]210
  • 213.109.202[.]145
  • 180.101.88[.]230
  • 180.101.88[.]220
  • 103.96.40[.]38
  • 128.199.237[.]61
  • 173.199.117[.]55
  • 62.20441[.]80
  • 77.83.36[.]40
  • 103.255.191[.]43
  • 213.109[.]202.167
  • 141[.]98.11.107
  • 162.0[.]234.118
  • 91.240.118[.]224
  • 185.248[.]2476
  • 185.161.248[.]148
  • 38.175.192[.]78
  • 176.113.115[.]220
  • 77.90.185[.]102
  • 80.66.66[.]225
  • 200.54.189[.]98
  • 185.234.216[.]125
  • 176.113.115[.]184 

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *