Contents:
CISA and FBI released an advisory on Androxgh0st malware IoCs (Indicators of Compromise) and warned about hackers using this threat to steal credentials.
The advisory contains:
- a list of specific Androxgh0st IoCs
- examples of malicious activities linked to it
- details about the Tactics, Techniques, and Procedures (TTPs) the malware uses
Patching operating systems, software, and firmware is at the top of CISA`s recommended prevention measures list:
Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
Source – CISA and FBI advisory
The Cybersecurity and Infrastructure Security Agency also urged System Admins to update Apache servers running versions 2.4.49 or 2.4.50.
What can Androxgh0st malware do?
Androxgh0st is a Python-written malware that hackers use to create a botnet that scans for and exploits vulnerable networks.
Some of the systems that Androxgh0st targets for credential stealing and remote code execution are:
- PHPUnit – Hackers exploit CVE-2017-9841 for remote code execution. They use Androxgh0st to download malicious files to the system that hosts the website, create a backdoor and finally access databases.
- Laravel Framework – Threat actors use the Laravel web app to check if the domain’s root-level .env file is exposed. Usually .env files contain credentials and tokens that hackers will attempt stealing. In some Laravel frameworks, hackers can exploit CVE-2018-15133 for remote code execution. Amazon Web Services [AWS], Microsoft Office 365, and SendGrid are some of the high-profile applications that could be affected.
- Apache Web Server – Androxgh0st actors use the malware along with CVE-2021-41773 to detect vulnerable web servers. They detect uniform resource locators (URLs) for files outside root directory. Such unprotected files can allow for remote code execution.
CISA says hackers can use Androxgh0st malware to abuse the Simple Mail Transfer Protocol (SMTP). The malware`s capabilities can
- scan for network service discovery
- exploit exposed credentials, application programming interfaces (APIs), and web shell deployment.
Androxgh0st malware IoCs
CISA and FBI`s analysis lead to revealing a series of IoCs you can use to detect an Androxgh0st malware infection in your system.
GET and POST requests to the URIs:
- /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
- /.env
POST requests with the strings:
- [0x%5B%5D=androxgh0st]
- ImmutableMultiDict([(‘0x[]’, ‘androxgh0st’)])
Check the entire list of Androxgh0st malware IoCs here.
Automate the Patch Management Process with Heimdal®
Find out more 30-day Free Trial. Offer valid only for companies.Patching prevents Androxgh0st malware attacks
CISA`s advisory on Androxgh0st malware once again stresses that patching known vulnerabilities timely is a system`s first line of defense.
Vendors have already released patches for all three CVEs the advisory mentions.
To make patching an easier task and close known vulnerabilities before hackers get to you, use an automated patch management solution:
- Find out which of the assets in your system are vulnerable
- Prioritize patches
- Test in a safe environment
- Deploy patches
- Monitor and Report
In only a few clicks with Heimdal`s Patch & Asset Management.
Get a free trial of the solution here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.