Legion: an AWS Credential Harvester and SMTP Hijacker

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The malware uses a PHP unauthenticated RCE vulnerability, tracked as CVE-2017-9841, by posting PHP payloads to a vendor path to gain access. Quote: ‘This is a well-known PHP unauthenticated RCE vulnerability, tracked as CVE-2017-9841.’
• [T1505.003] Web Shell – It includes code to implant webshells on compromised servers for long-term control. Quote: ‘the malware includes code to implant webshells.’
• [T1552.001] Credentials in Files – Legion searches misconfigured servers for credentials in environment/config files (e.g., Laravel .env) and parses them. Quote: ‘The malware maintains a list of likely paths to this file, as well as similar files and directories for other web technologies.’
• [T1046] Network Service Discovery – It interacts with Shodan’s API to retrieve a target list of internet-facing services. Quote: ‘interacting with Shodan’s API to retrieve a target list (providing you supply an API key) and’
• [T1110] Brute Force – The malware brute-forces CPanel/WHM accounts and includes a function dedicated to brute-forcing AWS credentials (aws_generator). Quote: ‘brute-forcing cPanel and WebHost Manager (WHM) accounts’ and ‘a function dedicated to brute-forcing AWS credentials – named aws_generator().’
• [T1136] Create Account – Legion creates an AWS IAM user, an SESAdminGroup, and attaches AdministratorAccess, effectively creating privileged cloud accounts. Quote: ‘IAM user creation and tagging code’ and ‘consisting with the assumption that Legion is primarily concerned with cracking email services, the malware attempts to use the newly-created AWS IAM user to query Amazon SES quota’
• [T1071.001] Web Protocols – It reports results via Telegram Bot API, using web protocols to exfiltrate data to a C2-like channel. Quote: ‘Telegram support is also included, with the ability to pipe the results of each of the modules into a Telegram chat via the Telegram Bot API.’