Threat Research

Known Indicators of Compromise Associated with Androxgh0st Malware | CISA

CISA

Androxgh0st is a Python-scripted malware used to build a botnet that scans for and exploits vulnerable web applications (notably Laravel and sites with exposed PHPUnit files) to steal credentials and deploy web shells. Observed behaviors include exploiting CVE-2017-9841 via eval-stdin.php, exfiltrating .env files, abusing Laravel XSRF token deserialization (CVE-2018-15133), and dropping payloads from remote URLs. #Androxgh0st #PHPUnit #Laravel #CVE-2017-9841 #CVE-2018-15133

Keypoints

  • Androxgh0st is Python-based malware that establishes a botnet to discover and exploit vulnerable web hosts for credential theft and further compromise.
  • Threat actors exploit exposed PHPUnit eval-stdin.php (CVE-2017-9841) to remotely execute PHP and drop web shells or download additional payloads.
  • The malware scans for Laravel sites with exposed .env files or application keys to extract credentials and leverage deserialization via XSRF-TOKEN (CVE-2018-15133) for remote code execution.
  • Actors scan Apache servers (notably 2.4.49/2.4.50) for path traversal flaws (CVE-2021-41773) to access files outside the web root and enable RCE if CGI is enabled.
  • Compromised credentials (e.g., AWS) are used to create accounts and spin up cloud instances for additional scanning and infrastructure acquisition.
  • Observed network activity includes GET/POST to many targeted URIs (e.g., /vendor/phpunit/…/eval-stdin.php and /.env) and POST payloads with identifiers like 0x[]=androxgh0st (or variant monikers).
  • Malicious payloads are fetched from remote URLs (HTTP(S)) and include ELF/xmrig, PHP backdoors, and other binaries identified by specific hashes.

MITRE Techniques

  • [T1583.005] Acquire Infrastructure: Botnet – Androxgh0st “establishing a botnet … for victim identification and exploitation” (‘establishing a botnet for victim identification and exploitation’).
  • [T1059.006] Command and Scripting Interpreter: Python – The malware is “a Python-scripted malware” used to target files and run scanning routines (‘Androxgh0st is a Python-scripted malware’).
  • [T1190] Exploit Public-Facing Application – Actors exploit “CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit” (‘exploit CVE-2017-9841 to remotely run PHP code via PHPUnit’).
  • [T1105] Ingress Tool Transfer – Malicious files are downloaded to hosting systems via POST-run PHP code to fetch payloads (‘download malicious files to the system hosting the website’).
  • [T1505.003] Server Software Component: Web Shell – Actors deploy web shells through eval-stdin.php to maintain access (“set up a fake (illegitimate) page … to provide backdoor access”) (‘provide backdoor access to the website’).
  • [T1552.001] Unsecured Credentials: Credentials In Files – Threat actors target exposed “.env files that contain confidential information, such as credentials” (‘target .env files that contain confidential information’).
  • [T1027.010] Obfuscated Files or Information: Command Obfuscation – Actors “encrypt PHP code” using a Laravel application key and pass it in the XSRF-TOKEN cookie to trigger insecure deserialization (CVE-2018-15133) (‘encrypt PHP code … passed to the site as a value in the XSRF-TOKEN cookie’).
  • [T1595.002] Active Scanning: Vulnerability Scanning – The botnet performs targeted scanning and searches for websites with specific vulnerabilities (“use of scripts, conducting scanning and searching for websites with specific vulnerabilities”) (‘conducting scanning and searching for websites with specific vulnerabilities’).
  • [T1083] File and Directory Discovery – Actors perform path traversal to “identify URLs for files outside root directory” on vulnerable Apache servers (CVE-2021-41773) (‘identify URLs for files outside root directory through a path traversal attack’).
  • [T1078] Valid Accounts – Exposed credentials are abused for services like SMTP and cloud accounts (“exploiting exposed credentials and application programming interfaces (APIs)”) (‘exploiting exposed credentials’).
  • [T1136] Create Account – With stolen AWS credentials, actors “attempt to create new users and user policies” in victim cloud environments (‘create new users and user policies’).
  • [T1583.006] Acquire Infrastructure: Web Services – Actors create “new AWS instances to use for conducting additional scanning activity” after compromising cloud credentials (‘create new AWS instances to use for conducting additional scanning activity’).
  • [T1114] Email Collection – The malware abuses APIs and SMTP-related functionality to gather email and account data (“supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP) … and application programming interfaces (APIs)”) (‘abusing SMTP and APIs to collect information’).

Indicators of Compromise

  • [URI] Targeted endpoints used for exploitation or credential theft – /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php, /.env, and dozens of related endpoints (e.g., /info, /phpinfo.php, /.git/config) and many other /.env variants.
  • [HTTP POST strings] Identifier payloads observed in POST bodies – 0x%5B%5D=androxgh0st, ImmutableMultiDict([(‘0x[]’,’androxgh0st’)]) (moniker value often varies, e.g., Ridho, Aws, SMTPEX, evileyes0, etc.).
  • [Domains/URLs] Example remote payload hosting or C2 locations – hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt, hxxps://chainventures.co[.]uk/.well-known/aas, hxxp://download.asyncfox[.]xyz/download/xmrig.x86_64 (and multiple other hosting URLs).
  • [File hashes] Example payload hashes observed – 59e90be75e51…151f4, 23fc51fde90d…e066, and several other hashes (multiple additional hashes listed in advisory).
  • [IP addresses] Example network indicators in requests – x-forwarded-for: 200.172.238.135 and observed hosting IP 45.95.147[.]236 (used for payload hosting), among others.

Androxgh0st’s technical attack chain centers on automated scanning, exploitation of web-facing components, credential harvesting, and payload distribution. The actors run Python-based scanning bots to locate PHPUnit eval-stdin.php endpoints and exposed Laravel .env files; successful POST/GET requests to /vendor/phpunit/…/eval-stdin.php or /.env allow remote PHP execution or direct retrieval of environment variables (including API keys and cloud credentials). They also use POST parameters named 0x[] (value often set to “androxgh0st” or other monikers) as identifiers in credential exfiltration requests.

Exploitation techniques observed include abusing CVE-2017-9841 to execute PHP via eval-stdin.php, using Laravel application keys to encrypt PHP and pass it via the XSRF-TOKEN cookie to trigger insecure deserialization (CVE-2018-15133), and leveraging Apache path traversal (CVE-2021-41773) to read files outside the web root when CGI is enabled. Post-exploitation actions include dropping web shells (e.g., writing evil.php via file_put_contents and fetching payloads with wget/curl), downloading binaries and scripts from remote URLs, and using harvested AWS credentials to create accounts and spin up instances for further scanning and infrastructure acquisition.

Observed IOCs tied to these procedures include targeted URIs (eval-stdin.php, /.env and many environment/credential endpoints), POST payload signatures (0x%5B%5D=androxgh0st and variants), numerous remote hosting URLs and associated file hashes for dropped payloads, and example IP addresses in request headers. Detection should focus on anomalous GET/POSTs to these URIs, unexpected file creations in web roots, outbound requests to known payload-hosting domains, and signs of unauthorized cloud API activity.

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint