The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued alerts about an expanding botnet powered by the Androxgh0st malware. This malware is particularly concerning due to its capability to steal cloud credentials and use the Simple Mail Transfer Protocol (SMTP) for network exploitation and victim identification.
🚨 New #Cybersecurity Advisory: @CISAgov & @FBI released details on #Androxgh0st Malware, including #TTPs, #IOCs & mitigations. Organizations are strongly advised to implement recommended mitigations. Stay proactive against cyber threats! 🛡️https://t.co/NsoyVyomBw pic.twitter.com/v9jhkTR9mM
— CISA Cyber (@CISACyber) January 16, 2024
A recent cybersecurity advisory from these U.S. federal agencies highlighted the dangers of the Androxgh0st Malware, providing insights into its tactics, techniques, procedures (TTPs), indicators of compromise (IOCs), and recommended countermeasures. Organizations are urged to adopt these mitigation strategies to safeguard against cyber threats.
Androxgh0st, a Python-scripted malware, primarily targets .env files containing sensitive information in various applications like Amazon Web Services (AWS), Twilio, and Microsoft Office 365. It leverages SMTP to deploy web shells and exploit exposed credentials.
First detected by Lacework Labs in 2022, this botnet has since commandeered over 40,000 devices by exploiting vulnerabilities in servers and websites, such as CVE-2021-41773 in Apache HTTP Server, CVE-2017-9841 in PHPUnit, and CVE-2018-15133 in the Laravel PHP framework.
The botnet’s operators have been seen checking email account limits to facilitate spam campaigns and creating deceptive pages on compromised websites for backdoor access. They have also used stolen AWS credentials to search for vulnerable targets online.
The FBI and CISA are encouraging organizations that suspect they are affected to report such incidents. They also recommend keeping systems updated, scrutinizing interaction requests, and inspecting platforms for exposed credentials in .env files as part of a comprehensive strategy to counter this threat.