Executive Summary
Androxghost is a Python-based SMTP cracker that has been active in the wild since at least 2022. The FBI and CISA released a joint advisory warning of the dangers of Androxgh0st.
Key Takeaways
- Androxghost is a Python-based SMTP cracker that has been active in the wild since at least 2022.
- The FBI and CISA released a joint advisory warning of the dangers of Androxgh0st.
- Androxgh0st has been forming a botnet to use to identify potential victims and exploit target networks.
What is Androxgh0st?
The FBI and CISA released a joint advisory warning of the dangers of Androxgh0st. Androxghost is a Python based malware family that has been active in the wild since at least 2022. It is classified as an SMTP cracker. At its peak, Androxgh0st infected nearly 50,000 devices. Lacework originally reported on Androxgh0st in 2022.
According to the joint advisory, Androxgh0st has been forming a botnet to use to identify potential victims and to exploit target networks. Androxgh0st is capable of abusing SMTP, can exploit exposed credentials and APIs, and can deploy web shells. Androxgh0st is known to leverage multiple RCE vulnerabilities, including CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).
Androxgh0st scans for websites using the Laravel web application framework. When Androxgh0st identifies a vulnerable system, it extracts credentials from .env files to obtain access keys for AWS, Microsoft Office 365, SendGrid, and Twilio. Androxgh0st also has the ability to self-replicate by using compromised AWS credentials to create new users and instances. According to the advisory, unusual web requests to specific server locations may be indicative of an Androxgh0st infection.
IOCs
PolySwarm has multiple samples of Androxgh0st.
59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4
ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72
0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef
de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba
dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6
23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066
6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc
bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7
You can use the following CLI command to search for all Androxgh0st samples in our portal:
$ polyswarm link list -f Androxgh0st
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.