AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

AndroxGh0st Malware

Cybersecurity researchers have make clear a software known as AndroxGh0st that is used to focus on Laravel purposes and steal delicate knowledge.

“It really works by scanning and taking out essential info from .env recordsdata, revealing login particulars linked to AWS and Twilio,” Juniper Risk Labs researcher Kashinath T Pattan said.

“Categorized as an SMTP cracker, it exploits SMTP utilizing numerous methods reminiscent of credential exploitation, internet shell deployment, and vulnerability scanning.”

AndroxGh0st has been detected within the wild since at the very least 2022, with menace actors leveraging it to entry Laravel surroundings recordsdata and steal credentials for numerous cloud-based purposes like Amazon Net Companies (AWS), SendGrid, and Twilio.

Assault chains involving the Python malware are identified to use identified safety flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to realize preliminary entry and for privilege escalation and persistence.


Earlier this January, U.S. cybersecurity and intelligence businesses warned of attackers deploying the AndroxGh0st malware to create a botnet for “sufferer identification and exploitation in goal networks.”

“Androxgh0st first good points entry by a weak point in Apache, recognized as CVE-2021-41773, permitting it to entry weak programs,” Pattan defined.

“Following this, it exploits further vulnerabilities, particularly CVE-2017-9841 and CVE-2018-15133, to execute code and set up persistent management, primarily taking up the focused programs.”

Androxgh0st is designed to exfiltrate delicate knowledge from numerous sources, together with .env recordsdata, databases, and cloud credentials. This enables menace actors to ship further payloads to compromised programs.

Juniper Risk Labs mentioned it has noticed an uptick in exercise associated to the exploitation of CVE-2017-9841, making it important that customers transfer shortly to replace their situations to the newest model.

AndroxGh0st Malware

A majority of the assault makes an attempt concentrating on its honeypot infrastructure originated from the U.S., U.Okay., China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia, and India, it added.

The event comes because the AhnLab Safety Intelligence Middle (ASEC) revealed that weak WebLogic servers positioned in South Korea are being focused by adversaries and used them as obtain servers to distribute a cryptocurrency miner known as z0Miner and different instruments like quick reverse proxy (FRP).

It additionally follows the invention of a malicious marketing campaign that infiltrates AWS situations to create over 6,000 EC2 situations inside minutes and deploy a binary related to a decentralized content material supply community (CDN) generally known as Meson Network.

The Singapore-based firm, which goals to create the “world’s largest bandwidth market,” works by permitting customers to trade their idle bandwidth and storage assets with Meson for tokens (i.e., rewards).


“This implies miners will obtain Meson tokens as a reward for offering servers to the Meson Community platform, and the reward shall be calculated based mostly on the quantity of bandwidth and storage introduced into the community,” Sysdig said in a technical report printed this month.

“It is not all about mining cryptocurrency anymore. Companies like Meson community wish to leverage arduous drive house and community bandwidth as an alternative of CPU. Whereas Meson could also be a authentic service, this reveals that attackers are at all times looking out for brand new methods to make cash.”

With cloud environments more and more changing into a profitable goal for menace actors, it’s vital to maintain software program updated and monitor for suspicious exercise.

Risk intelligence agency Permiso has additionally released a software known as CloudGrappler, that is constructed on high of the foundations of cloudgrep and scans AWS and Azure for flagging malicious occasions associated to well-known menace actors.

Notify of
Inline Feedbacks
View all comments
Previous Post
Tunnel-Keylogger - Keylogging Server And Client That Uses DNS Tunneling/Exfiltration To Transmit Keystrokes

Tunnel-Keylogger – Keylogging Server And Shopper That Makes use of DNS Tunneling/Exfiltration To Transmit Keystrokes

Next Post
Understanding New Frontiers in Global Conflicts

Understanding New Frontiers in World Conflicts

Related Posts