Legion, a cloud-focused credential-harvesting tool, has a new update adding SSH credential abuse and expanded cloud-service targeting, including .env credential extraction from misconfigured Laravel apps. The update broadens environment-file discovery, adds “King Forza” branding to test emails, and expands .env enumeration paths for richer data exfiltration opportunities.
#Legion #KingForza #CadoSecurity #CloudWatch #Laravel
#Legion #KingForza #CadoSecurity #CloudWatch #Laravel
Keypoints
- Legion’s update enables SSH credential use to log into hosts via SSH using extracted credentials (Paramiko SSHClient).
- Legion parses exfiltrated database credentials to obtain username/password pairs for automated login attempts.
- It hunts environment variable files in misconfigured Laravel apps and accesses .env files by enumerating hardcoded paths.
- The malware specifically targets CloudWatch and AWS credentials found in .env files, including CLOUDWATCH_LOG_KEY and AWSOWL_ACCESS_KEY_ID/SECRET.
- Subject lines and email content have been updated to include “King Forza,” signaling a branding/operational shift in SMTP-based data exfiltration.
- Additional .env enumeration paths were added (e.g., /lib/.env, /lab/.env, /cronlab/.env, etc.) to widen credential discovery.
MITRE Techniques
- [T1078] Valid Accounts – The malware attempts SSH login to hosts using stolen credentials. Quote: “…log in to the host via SSH – assuming that these credentials were being reused across services.”
- [T1552.001] Credentials in Files – Legion searches for environment variable files in misconfigured Laravel apps and accesses .env files to harvest keys. Quote: “…hunts for environment variable files in misconfigured web servers running PHP frameworks such as Laravel. Legion attempts to access these .env files by enumerating the target server with a list of hardcoded paths…”
- [T1083] File and Directory Discovery – The update adds additional paths to enumerate for the existence of .env files. Quote: “…adding additional paths to enumerate for the existence of .env files.”
- [T1041] Exfiltration Over C2 Channel – The tool exfiltrates data via SMTP, including branded messages. Quote: “King Forza smtps! – SMTP Data for you!”
Indicators of Compromise
- [Filename] context – og.py
- [SHA256] context – 6f059c2abf8517af136503ed921015c0cd8859398ece7d0174ea5bf1e06c9ada
- [User Agent] context – Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36, Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
- [Env Variable] context – CLOUDWATCH_LOG_KEY, AWSOWL_ACCESS_KEY_ID
- [IAM User] context – IAM user created with tag Owner=ms.boharas
- [Email Subject] context – King Forza SMTP | {mailhost}
Read more: https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/