AndroxGh0st in the news: Exploring the malware’s surge in attention
In 2022, the Lacework Labs team discovered a new, large-scale threat called AndroxGh0st, a Python malware being used to exploit AWS keys. Its discovery was a concern, but it was only last week that AndroxGh0st finally gained the widespread public attention it deserved, when the FBI and CISA issued a warning about the threat and key signs to watch out for.
When Lacework Labs first encountered AndroxGh0st while researching our first AWS composite alert (research conducted in 2022, published a little over a year ago), they found that it was capable of scanning for and exploiting exposed credentials and APIs. AndroxGh0st targets specific files known as Laravel.env files, which are crucial because they contain access keys and credentials for major services like AWS and Microsoft Office 365. The abuse actions leveraging compromised keys require the third party to already have the keys with the required privileges to take the malicious actions.
The theft of these files poses a serious risk, as it enables hackers to gain unauthorized access and potentially disrupt services. More alarmingly, this malware has been used by hackers to build a botnet, which is a network of compromised computers, to then be used for additional credential theft and launching further cyberattacks.
The recent advisory from the FBI and CISA marks a turning point in the perception of AndroxGh0st, with it now recognized as a significant national cybersecurity threat because of its potential widespread impact on both businesses and individual users. News platforms and experts are now intensively covering AndroxGh0st, offering detailed analysis of its operation, potential risks, and preventive measures.
Here’s a preview of what experts have been saying:
The #FBI and @CISAgov released a joint #CybersecurityAdvisory on IOCs and TTPs associated with threat actors deploying Androxgh0st malware, which is used to establish botnets and compromise vulnerable networks. Learn about mitigations here: https://t.co/adE6f3nMyd pic.twitter.com/dgilVOSPgS
— FBI (@FBI) January 16, 2024
🚨 Alert: CISA & FBI warn of a growing AndroxGh0st botnet targeting AWS, #Microsoft Office 365, SendGrid, and Twilio credentials.
Key details inside: https://t.co/WGwbtOikV8
Don’t be the next victim; patch your Laravel servers NOW.#cybersecurity #hacking
— The Hacker News (@TheHackersNews) January 17, 2024
FBI: Beware of thieves building Androxgh0st botnets using stolen creds https://t.co/MozQHFJR8C
— The Cyber Security Hub™ (@TheCyberSecHub) January 17, 2024
Federal agencies warn that Androxgh0st malware operators are building a botnet https://t.co/kBinVQGYz6
— SiliconANGLE (@SiliconANGLE) January 17, 2024
Heard about the new “Androxgh0st” Malware Targeting Laravel apps? You’re only vulnerable if your `.env` file is web-accessible or you have debug-mode enabled.
Here’s the details: https://t.co/Aai1yPouZk
— Stephen Rees-Carter (@valorin) January 19, 2024
How Lacework can help
As we’ve seen, the AndroxGh0st malware represents a significant and evolving threat. Since Lacework Labs published the initial blog in 2022, we have helped our customers address this threat by triggering over 200 alerts that were the result of AndroxGh0st or functionally similar malware.
In this example composite alert below, the first signal is for AWS Simple Email Service (SES) abuse, which is a strong indicator of this activity. Composite alerting has become an effective tool for our customers to detect compromised credential usage, not only for AndroxGh0st, but other activities as well. This is because anomalies need to be taken into account in order to qualify rule-based detections.
Want to see for yourself how Lacework helps discover the latest threats? Get complete access to our platform with our 14-day free trial here.