CISA and the FBI have issued a cybersecurity advisory regarding the escalating threat of AndroxGh0st malware. This Python-based tool has been actively creating a botnet for victim identification and exploitation in target networks, causing significant concerns within the cybersecurity community.
“Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment,” the advisory reads.
AndroxGh0st, initially documented by Lacework in December 2022, has inspired the development of similar tools such as AlienFox, GreenBot (aka Maintance), Legion, and Predator.
CISA warns that unusual web requests to specific server locations are tell-tale signs of AndroxGh0st’s presence. Once it identifies a vulnerable system, the malware extracts credentials from .env files, gaining access keys for high-profile applications such as AWS, Microsoft Office 365, SendGrid, and Twilio.
AndroxGh0st can self-replicate using compromised AWS credentials to create new users and instances, extending its reach and scanning for more vulnerable targets across the internet. CISA and the FBI advocate for preventive measures, urging service providers to update their Apache versions, review cloud credentials stored in .env files regularly, and set up servers to auto-reject unauthorized resource requests.
Experts attribute the rapid spread of this malware to poor patch management in organizations and the prevalence of servers running outdated software. At its peak in early January, nearly 50,000 devices were infected, but recent data from Fortiguard shows a decline to around 9,300.
Analysts predict that the cloud threat landscape will continue to evolve, borrowing code from other tools and integrating them into a holistic ecosystem.
“As far as defending against these types of threats, it is a matter of… making sure you have basic security hygiene like multi-factor authentication, that you’re limiting the scope of access for credentials, that’s going to prevent actors from being able to use this tool,” said SentinelOne’s Delamotte. “One example is that if an AWS Simple Email Service credential has administrator access for the full account, what the actor will do is create a new user account and assign the administrative profile to it, so making sure you’re limiting the scope is crucial.”