January 17, 2024 at 11:36AM
CISA and FBI have issued a joint advisory warning about Androxgh0st malware creating a botnet to target vulnerable networks. The malware primarily targets .env files containing sensitive information for AWS, Microsoft Office 365, SendGrid, and Twilio. It can abuse SMTP for scanning, exploit stolen credentials and APIs, and deploy web shells. The agencies provided indicators of compromise and recommended mitigations.
Based on the meeting notes, the CISA and the FBI have issued a joint advisory warning about the Androxgh0st malware, which is creating a botnet to target vulnerable networks. The malware primarily targets .env files that contain sensitive information, including various credentials for services such as AWS, Microsoft Office 365, SendGrid, and Twilio. It can also abuse the Simple Mail Transfer Protocol (SMTP) for scanning, exploitation of stolen credentials and APIs, and web shell deployment.
The cybercriminals behind the Androxgh0st operation also use scripts to scan for websites plagued by specific vulnerabilities, such as CVE-2017-9841 and CVE-2018-15133, as well as targeting websites using the Laravel framework. The agencies have released indicators of compromise (IoCs) associated with the Androxgh0st malware operations, as well as recommended mitigations, urging organizations to apply them as soon as possible. Additionally, CISA added the security defect to its Known Exploited Vulnerabilities catalog.
The Androxgh0st operators also target CVE-2021-41773, a path traversal in Apache HTTP Server versions 2.4.49 and 2.4.50, leading to remote code execution. If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or conduct additional malicious operations.