“Beware: AndroxGh0st Botnet Strikes! Feds Issue Alert as Cyber Threat Targets AWS, Azure, and Office 365 Credentials.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about the AndroxGh0st malware, which is being employed by threat actors to build a dangerous botnet for victim identification and exploitation in target networks. This Python-based malware, initially documented by Lacework in December 2022, has inspired similar tools like AlienFox, GreenBot, Legion, and Predator.

AndroxGh0st targets servers with known security flaws, gaining access to Laravel environment files and pilfering credentials from high-profile applications including AWS, Microsoft Office 365, SendGrid, and Twilio. Exploiting notable vulnerabilities such as PHPUnit, Apache HTTP Server, and Laravel Framework, the malware exhibits features for SMTP abuse, scanning, exploitation of credentials and APIs, and deploying web shells. For AWS, it not only scans and parses keys but can also generate keys for brute-force attacks.

Compromised AWS credentials are utilized to create new users, user policies, and set up additional AWS instances for malicious scanning. This makes AndroxGh0st a potent threat, enabling the download of additional payloads and ensuring persistent access to compromised systems.

CISA’s advisory highlights the rarity of cloud-focused malware advisories. The emergence of FBot, a related tool revealed by SentinelOne, further emphasizes the evolving landscape of cloud threats. As threat actors find new ways to exploit cloud services, tailored tools like AndroxGh0st and FBot are expected to continue emerging.

NETSCOUT’s alert reveals a significant spike in botnet scanning activity since mid-November 2023, reaching nearly 1.3 million distinct devices on January 5, 2024. The majority of source IP addresses are associated with the U.S., China, Vietnam, Taiwan, and Russia. The analysis indicates a rise in the use of cheap or free cloud and hosting servers for creating botnet launch pads, utilizing trials, free accounts, or low-cost accounts to maintain anonymity and minimal overhead.