Keypoints
- AndroxGh0st is a Python malware targeting Laravel apps and .env files to harvest credentials and API keys.
- The tool includes functions to query AWS SES limits, check SendGrid API keys, and send SMS via Twilio using stolen credentials.
- It exploits multiple vulnerabilities—CVE-2021-41773 (Apache path traversal/RCE), CVE-2017-9841 (PHPUnit eval-stdin RCE), and CVE-2018-15133 (Laravel XSRF-TOKEN deserialization RCE)—to gain entry, execute code, and persist.
- AndroxGh0st installs web shells and performs vulnerability scanning, credential validation, and data exfiltration from application files and databases.
- Detected hashes and sample endpoints are published in the vendor’s IoC repository; Juniper recommends IDS/NGFW protections, patching, credential protection, and behavioral analytics.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to exploit CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773 to achieve remote code execution. [‘Androxgh0st first gains entry through a weakness in Apache, identified as CVE-2021-41773… exploits additional vulnerabilities, specifically CVE-2017-9841 and CVE-2018-15133’]
- [T1505.003] Web Shell – Installs web shells to maintain persistent access after exploitation. [‘maintain persistent access by installing web shells’]
- [T1110] Brute Force – Capability hints at generating AWS keys and potentially conducting brute-force attacks against cloud accounts. [‘While its ability to generate AWS keys hints at potential brute force attacks’]
- [T1595] Active Scanning – Performs vulnerability scanning to discover exploitable Laravel and PHP endpoints. [‘It works by scanning and taking out important information from .env files… vulnerability scanning’]
- [T1078] Valid Accounts – Uses stolen API keys and account credentials (AWS, SendGrid, Twilio) to interact with services and send messages. [‘Executing this function requires valid AWS credentials… Successful execution requires a valid SendGrid API key… Successful execution requires valid Twilio Account SID and Auth Token’]
- [T1005] Data from Local System – Exfiltrates local application configuration like .env files and other sensitive data from databases. [‘exfiltrates substantial amounts of sensitive data from various sources, including .env files, databases, and cloud credentials’]
- [T1041] Exfiltration Over C2 Channel – Transmits stolen configuration and credentials off the compromised host after access and persistence are established. [‘exfiltrates substantial amounts of sensitive data from various sources’]
Indicators of Compromise
- [File Hash] AndroxGh0st sample and modules – f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 (env.py), 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066, and 1 more hash
- [File Name] Targeted configuration files – .env (used to harvest credentials and API keys)
- [HTTP Endpoint] Exploit URI used for PHPUnit RCE – /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php (malicious POSTs observed)
- [CVE] Vulnerabilities exploited – CVE-2017-9841, CVE-2018-15133, CVE-2021-41773
- [Payload String] Hardcoded token/value seen in requests – “0x%5B%5D=androxgh0st” (injected into request bodies to interact with vulnerable Laravel apps)
AndroxGh0st is a modular Python tool that focuses on compromising Laravel-based web applications by chaining public-facing application exploits and service abuse. The malware package includes utility functions—awslimitcheck (queries AWS SES limits using Boto3), sendgridcheck (retrieves SendGrid API key credits and mail-from details via the SendGrid API), and twillio_sender (checks Twilio account/balance and can send test SMS using Account SID/Auth Token). These functions require valid credentials and appropriate SDKs/permissions, indicating the operator leverages stolen API keys and account tokens post-compromise.
The primary technical attack flow uses CVE-2021-41773 (Apache path traversal with encoded dots) as an initial access vector to reach Laravel hosts, then exploits CVE-2017-9841 (PHPUnit eval-stdin) and CVE-2018-15133 (Laravel XSRF-TOKEN deserialization) to achieve remote code execution and persistence. Exploitation examples observed include crafted POST requests to /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php and malicious X-XSRF-TOKEN values that trigger unsafe unserialize processing in IlluminateEncryptionEncrypter; successful chains enable web shell deployment and extraction of .env files, databases, and cloud credentials.
Mitigation focuses on removing the initial attack surface and stopping post‑compromise abuse: patch Apache/Laravel/PHPUnit for the referenced CVEs, disable or remove PHPUnit from production, protect and rotate API keys (AWS/SendGrid/Twilio), restrict mod_cgi and server root access, and deploy IDS/NGFW signatures (e.g., HTTP:PHP:PHPUNIT-INJECTION, HTTP:PHP:CVE-2018-15133-RCE, HTTP:APACHE:APACHE-PATH-TRAV) plus behavioral analytics to detect web-shell activity and anomalous API usage.
Read more: https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st