What is AndroxGhost Malware and Should You Be Worried?

What is AndroxGhost Malware?

CISA and the FBI issued a joint warning regarding the Androxgh0st malware. In this article, let’s see what AndroxGhost malware is and how it works. In a joint effort to combat the rising threats in the digital realm, the CISA and FBI have recently issued an alarming warning about the notorious AndroxGhost Malware. This malicious software has been wreaking havoc across various sectors, posing a significant threat to cybersecurity.

FBI Tweet on AndroxGhost Malware

The #FBI and @CISAgov released a joint #CybersecurityAdvisory on IOCs and TTPs associated with threat actors deploying Androxgh0st malware, which is used to establish botnets and compromise vulnerable networks. Learn about mitigations here: https://t.co/adE6f3nMyd pic.twitter.com/dgilVOSPgS

— FBI (@FBI) January 16, 2024

CISA Tweet on AndroxGhost Malware

🚨 New #Cybersecurity Advisory: @CISAgov & @FBI released details on #Androxgh0st Malware, including #TTPs, #IOCs & mitigations. Organizations are strongly advised to implement recommended mitigations. Stay proactive against cyber threats! 🛡️https://t.co/NsoyVyomBw pic.twitter.com/v9jhkTR9mM

— CISA Cyber (@CISACyber) January 16, 2024

CISA and FBI identified Androxgh0st malware as a botnet aimed at stealing cloud credentials and using the stolen information to deliver additional malicious payloads. The botnet was first discovered by Lacework Labs in 2022.

AndroxGh0st is finally getting some of the attention it deserves. This Python-based #malware was first discovered by our Lacework Labs team in 2022. Check out the original article to learn more about #AndroxGh0st and how to detect it. ⬇️https://t.co/hSFbgxIYmR

— Lacework (@Lacework) January 18, 2024

According to Lacework researchers, “Depending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials. The most commonly observed of these is to check the email sending limit for the account to assess if it can be leveraged for spamming. This is performed with a call to GetSendQuota. AndroxGh0st does not perform any further recon following this API call.”

FortiLabs from Fortinet identified that the AndroxGhost malware controlled over 40,000 devices. To be specific, here is what FortiLabs says: “AndroxGh0st malware is actively used in the field to target Laravel .env files that contain sensitive information such as credentials for AWS, O365, SendGrid, and Twilio. FortiGuard Labs observes in the wild attempts by the AndroxGh0st malware more than 40,000 Fortinet devices a day.”

How Does AndroxGhost Malware Work?

According to the alert, Androxgh0st is a Python-scripted malware primarily used to target .env files containing confidential information, such as credentials for various high profile applications, such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework.

The agencies highlighted that the botnet utilizes various remote code execution (RCE) vulnerabilities to infect systems. Specifically, it scans for websites and servers vulnerable to CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).

Once AndroxGhost infects a system, it establishes a backdoor, granting unauthorized access to cybercriminals. This allows them to initiate a range of malicious activities, including data theft, espionage, and even the deployment of additional malware. AndroxGhost operates with utmost discretion, often bypassing traditional security measures and remaining hidden from detection technologies.

Impact of AndroxGhost Malware Attack

In recent times, cyber attacks have been increasing at an enormous pace and a similar trend is expected to continue in 2024. The recent cyber attacks on Telecom giants, oil and gas industry, healthcare industry, automobile, intelligence services, utilities, and government agencies ring the bells to stay more cautious and take preventive measures to stay protected from such cyber threats in 2024.

The repercussions of falling victim to AndroxGhost malware can be devastating. For individuals, it may result in identity theft, financial loss, or the compromise of personal information. In the corporate world, the consequences can be even more severe, ranging from sensitive data breaches to reputational damage. Industries such as finance, healthcare, and government entities are particularly vulnerable to these attacks.

How to Prevent AndroxGhost Malware Attack?

CISA and the FBI advised that organizations take immediate action to protect themselves from this threat. They recommended implementing the following measures to mitigate the risk of Androxgh0st malware:

CISA’s Mitigation Recommendations:

1. Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50.
2. Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
3. Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
4. On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
5. Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
6. Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.

The agencies also encouraged organizations to report any observed activity related to Androxgh0st malware to the FBI and CISA through their online reporting systems or by contacting the designated points of contact.

Additional Recommendations To Prevent AndroxGhost Malware Attacks

In addition, organizations can take proactive steps to protect themselves from this emerging threat by following these mitigation measures:

1. Keep your software up to date: Regularly update your operating system, antivirus software, and other applications. Software updates often include security patches that address vulnerabilities exploited by ransomware.

2. Use strong passwords: Create unique passwords for each of your accounts and ensure they are complex with a mix of letters, numbers, and symbols. Consider using a password manager to securely store all your passwords. Use tools like SurfShark Identity Theft Protection to protect your digital identity.

3. Be cautious of suspicious emails: Phishing emails are a standard method used by cybercriminals to distribute ransomware. Avoid clicking on links or opening attachments from unknown senders, especially if the email seems suspicious or too good to be true.

4. Enable two-factor authentication (2FA): Two-factor authentication adds an extra layer of security by requiring users to provide additional verification beyond just a password when logging into their accounts.

5. Regularly backup your data: Implement a robust backup strategy that includes regular backups of important files stored both locally and in the cloud. This way, even if you fall victim to a ransomware attack, you can restore your files without paying the ransom.

6. Educate yourself and employees: Provide cybersecurity training for yourself and all employees within your organization. Teach them about the risks associated with opening unknown links or downloading files from untrusted sources.

7. Install reputable security software: Invest in reliable antivirus/anti-malware solutions that can detect and block potential threats before they infiltrate your systems. Use legitimate and reputed cyber security tools like Panda Security to protect your online footprint.

8. Use VPN Software: Always leverage the power of VPN software to stay anonymous and secure while surfing online. VPN software like Nord VPN and SurfShark CleanWeb Adblocker protects your online footprint and allows you to browse the internet more securely and stealthily.

For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.

Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.