The US authorities has urged organizations to take motion to guard in opposition to Androxgh0st malware, which is utilized by risk actors for sufferer identification and exploitation in goal networks.
A joint advisory by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) dated January 16, 2024 warned that Androxgh0st helps quite a few nefarious actions in breached networks.
The advisory famous that Androxgh0st malware helps numerous capabilities able to abusing the Simple Mail Transfer Protocol (SMTP), corresponding to scanning and exploiting uncovered credentials and utility programming interfaces (APIs).
How Androxgh0st Attackers Compromise Targets
The FBI and CISA highlighted three particular vulnerabilities being exploited by risk actors in deploying Androxgh0st, which might result in distant code execution:
- CVE-2017-9841: Attackers are remotely operating hypertext preprocessor (PHP) code on fallible web sites through PHPUnit. This topics web sites utilizing the PHPUnit module which have internet-accessible folders to malicious HTTP POST requests. Once the risk actor remotely executes code, Androxgh0st is used to obtain malicious information to the system internet hosting the web site.
- CVE-2018-15133: Remote code execution could happen within the Lavarel internet utility framework because of an unserialized name on a probably untrusted X-XSRF-TOKEN worth. This can permit risk actors to add information to the web site through distant entry. The Androxgh0st malware is used to ascertain a botnet to establish web sites utilizing the Lavarel framework.
- CVE-2021-41773: Attackers have been noticed scanning weak internet servers operating Apache HTTP Server variations 2.4.49 or 2.4.50 to acquire credentials to entry delicate information. In this vulnerability, if these information usually are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may increasingly permit for distant code execution.
These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities Catalog.
The advisory stated the next requests are indicators of compromise related to Androxgh0st exercise:
- Incoming GET and POST requests to the URIs /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php and /.env
- Incoming POST requests with the next strings: (0xpercent5Bpercent5D=androxgh0st) and ImmutableMultiDict(((‘0x()’, ‘androxgh0st’)))
How to Defend Against Androxgh0st Attacks
Organizations are suggested to implement the next mitigations to guard themselves in opposition to the risk posed by Androxgh0st.
- Keep all working programs, software program and firmware updated. The advisory urged organizations to make sure that Apache servers usually are not operating variations 2.4.49 or 2.4.50.
- Verify that the default configuration for all URIs is to disclaim all requests until there’s a particular want for it to be accessible.
- Ensure that any reside Laravel functions usually are not in “debug” or testing mode. This contains eradicating all cloud credentials from .env information and revoking them.
- Review any platforms or companies which have credentials listed within the .env file for unauthorized entry or use.
- Scan the server’s file system for unrecognized PHP information.
- Review outgoing GET requests to file internet hosting websites corresponding to GitHub and pastebin.
- Validate your group’s safety program in opposition to the risk behaviors mapped to the MITER ATT&CK for Enterprise framework.
- Report any suspicious or felony exercise to your native FBI subject workplace.