AndroxGh0st is a Python-scripted malware observed targeting Laravel web applications, focusing on exposed .env files to steal credentials and maintain access. The post outlines exploitation methods, observed indicators, and defense recommendations to mitigate this evolving threat. #AndroxGh0st #Laravel #PHPUnit #CVE-2017-9841 #CVE-2018-15133 #CVE-2021-41773
Keypoints
- AndroxGh0st is a Python-scripted malware targeting Laravel web applications and their sensitive .env files to steal credentials and enable backdoor access.
- It exploits multiple CVEs to achieve code execution, including CVE-2017-9841 (PHPUnit RCE), CVE-2018-15133 (Laravel App Key Deserialization), and CVE-2021-41773 (Apache path traversal RCE).
- The malware searches for exposed .env files and accesses contents via GET /-.env or POST with a specific identifier to exfiltrate data such as credentials for email and AWS.
- AndroxGh0st operates as part of a botnet, able to download additional payloads, deploy fake web pages, and maintain backdoor access for ongoing compromise.
- During a March 11, 2024 honeypot encounter, activity originated from IP 78.153.140.179 with the user-agent androxgh0st, showing systematic targeting patterns.
- Mitigations emphasize keeping systems patched, securing Laravel configurations, credential hygiene (rotation, encryption, MFA), network defenses (IDS/Firewalls), and scanning for malicious PHP files and suspicious outgoing requests.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The malware exploits vulnerabilities in public-facing Laravel apps to gain remote code execution. βIf the /vendor folder is accessible from the internet, attackers can send malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI, allowing them to execute code remotely.β
- [T1059.007] Command and Scripting Interpreter: PHP β AndroxGh0st typically uses scripts to run PHP code on vulnerable websites using the PHPUnit module. βAndroxGh0st malware typically uses scripts to scan for and exploit specific vulnerabilities on websites. One common method is to run PHP code on vulnerable websites using the PHPUnit module.β
- [T1105] Ingress Tool Transfer β Attackers download additional malicious files to the compromised system to extend access. βthey can also set up fake web pages to maintain backdoor access, enabling them to download more malicious files and access databases.β
- [T1552.001] Credentials in Files β The malware targets exposed .env files to steal credentials, including service credentials for email and AWS. βAttackers target these files to steal sensitive information.β and βSuccessful responses allow attackers to steal usernames, passwords, and credentials for services like email and AWS accounts.β
- [T1505.003] Web Shell β AndroxGh0st involved web shell deployment and backdoors, enabling ongoing access and file upload. βset up fake web pages to maintain backdoor access, enabling them to download more malicious files and access databases.β
Indicators of Compromise
- [IP Address] Observed in attack activity β 78.153.140.179
- [URL] Exploitation/exposure endpoints β /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /.env
- [User-Agent] Detection indicator β androxgh0st
- [File Hash] Sample malware/miner hashes β f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88, 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a, and 5 more hashes
- [File Hash] Additional samples (Linux miners, PHP webshells) β 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066, 6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc
- [File Hash] PHP Webshell samples β ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72, 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef
Read more: https://isc.sans.edu/diary/Who+You+Gonna+Call+AndroxGh0st+Busters+Guest+Diary/31086/