Home FBI warns against Androxgh0st botnet

FBI warns against Androxgh0st botnet

January 18th – The U.S. Federal Bureau of Investigation (FBI), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), has issued an urgent advisory regarding the Androxgh0st botnet.

This botnet is actively targeting platforms like AWS, SendGrid and Microsoft Office 365 in order to illicitly acquire cloud credentials.

Androxgh0st botnet

The Androxgh0st botnet first emerged in 2022. It’s a Python-scripted malware used to infiltrate and exploit vulnerabilities in web frameworks and servers, primarily targeting .env files that store sensitive cloud credentials.

When in action, Androxgh0st scans for websites and servers that rely on older versions of PHPUnit, PHP web frameworks and Apache web servers known to have remote code execution (RCE) vulnerabilities.

Roughly 68% of Androxgh0st malware’s SMPT abuses originate from Windows systems, with 87% of attacks executed via Python, according to cyber security researchers.

Androxgh0st malware

An indicator of the malware is unusual web requests to specific server locations. After the malware identifies a vulnerable system, Androxgh0st extracts credentials from .env files. These commonly contain access keys for high profile applications, such as AWS, O365, SendGrid, and Twilio.

Can this malware self-replicate? Yes. This malware self-replicates by using the compromised AWS credentials to create new users and instances. In turn, the malware can maximize its reach and scan for additional vulnerable targets across the internet.

Androxgh0st actions

The FBI and CISA have implored service providers to update their versions of Apache, to review cloud credentials ‘housed’ in .env files, and to enable servers to auto-reject any requests to access resources, unless given explicit permissions.

The rapid spread of this malware is attributed to a combination of inadequate patch management and a high number of servers running outdated software.

In early January, nearly 50,000 devices were affected. Subsequently, the number decreased to 9,300, which, while an improvement, is still considered a substantial figure.

More on this topic here.

 Related resources

  • Scam alert! Watch out for 401(k) scams – Read article
  • Discover advanced network threat prevention – Learn more
  • Explore a next-generation DDoS protector solution – Block attacks