FBI and CISA issue advisory on Androxgh0st malware and botnet threat to networks

The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published Tuesday a joint cybersecurity advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with hackers deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third-party reporting yielded the IOCs and TTPs and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.

The advisory calls upon organizations to implement the recommendations in the Mitigations section to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections. Some of these measures include prioritizing patching known exploited vulnerabilities in internet-facing systems; reviewing and ensuring only necessary servers and services are exposed to the internet; and reviewing platforms or services that have credentials listed in [dot]env files for unauthorized access or use.

The CISA-FBI advisory identified that Androxgh0st malware has been observed establishing a botnet for victim identification and exploitation in target networks. According to open-source reporting, Androxgh0st is a Python-scripted malware primarily used to target [dot]env files that contain confidential information, such as credentials for various high-profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). 

Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment. 

The document identified that Androxgh0st malware TTPs commonly involve the use of scripts, conducting scanning, and searching for websites with specific vulnerabilities. In particular, threat hackers deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit.

Hackers likely use Androxgh0st to download malicious files to the system hosting the website. Threat hackers are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat hackers to download additional malicious files for their operations and access databases.

The CISA-FBI advisory identified that the Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. “After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level .env file is exposed and contains credentials for accessing additional services. Threat actors often target .env files to steal these credentials within the environment variables. If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page.” 

Alternatively, the advisory disclosed that the Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the web server. “This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.”

Furthermore, the Androxgh0st malware can also access the application key for the Laravel application on the website. If the threat hackers identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code.

In correlation with CVE-2021-41773, Androxgh0st hackers have been observed scanning vulnerable web servers running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat hackers can identify uniform resource locators (URLs) for files outside the root directory through a path traversal attack. 

“If these files are not protected by the ‘request all denied’ configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution. If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations,” the advisory said. “For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity.”

The FBI and CISA recommend network defenders apply various mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by hackers using Androxgh0st malware. They must keep all operating systems, software, and firmware up to date, and specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Additionally, they must verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible and ensure that any live Laravel applications are not in ‘debug’ or testing mode.

The advisory added that organizations must, on a one-time basis for previously stored cloud credentials, and on an ongoing basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the [dot]env file for unauthorized access or use. They must also scan the server’s file system for unrecognized PHP files, and review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a [dot]php file.

In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the Androxgh0st malware advisory.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.