The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Androxgh0st

Jan 29, 2024 1:52:50 PM / by The Hivemind

ANDROXGH0ST

Executive Summary

Androxghost is a Python-based SMTP cracker that has been active in the wild since at least 2022. The FBI and CISA released a joint advisory warning of the dangers of Androxgh0st.

Key Takeaways

  • Androxghost is a Python-based SMTP cracker that has been active in the wild since at least 2022.
  • The FBI and CISA released a joint advisory warning of the dangers of Androxgh0st. 
  • Androxgh0st has been forming a botnet to use to identify potential victims and exploit target networks.

What is Androxgh0st?

The FBI and CISA released a joint advisory warning of the dangers of Androxgh0st. Androxghost is a Python based malware family that has been active in the wild since at least 2022. It is classified as an SMTP cracker. At its peak, Androxgh0st infected nearly 50,000 devices. Lacework originally reported on Androxgh0st in 2022.

According to the joint advisory, Androxgh0st has been forming a botnet to use to identify potential victims and to exploit target networks. Androxgh0st is capable of abusing SMTP, can exploit exposed credentials and APIs, and can deploy web shells. Androxgh0st is known to leverage multiple RCE vulnerabilities, including CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).

Androxgh0st scans for websites using the Laravel web application framework. When Androxgh0st identifies a vulnerable system, it extracts credentials from .env files to obtain access keys for AWS, Microsoft Office 365, SendGrid, and Twilio. Androxgh0st also has the ability to self-replicate by using compromised AWS credentials to create new users and instances. According to the advisory, unusual web requests to specific server locations may be indicative of an Androxgh0st infection.

IOCs

PolySwarm has multiple samples of Androxgh0st.

 

59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4

ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72

0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef

de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba

dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6

23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066

6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc

bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7

 

You can use the following CLI command to search for all Androxgh0st samples in our portal:

$ polyswarm link list -f Androxgh0st

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 
hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Botnet, Androxgh0st, SMTP cracker

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts