Who You Gonna Call? AndroxGh0st Busters!

July 17, 2024, 7:58 a.m.

Description

This report discusses the AndroxGh0st malware, a Python-scripted threat targeting Laravel web applications to steal sensitive data like credentials and abuse other functionality. It exploits vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The malware scans for exposed .env files containing credentials and uses techniques like remote code execution to gain access. Mitigations include keeping systems updated, secure configurations, credential management, network security, and scanning for malicious files.

External References

https://isc.sans.edu/diary/rss/31086
https://otx.alienvault.com/pulse/66977417b1dcd432d8731235
Tags
python
botnet
credential theft
2024-07-17
androxgh0st
CVE-2021-41773
rce exploitation
CVE-2017-9841
web exploitation
CVE-2018-15133

Date

  • Created: July 17, 2024, 7:34 a.m.
  • Published: July 17, 2024, 7:34 a.m.
  • Modified: July 17, 2024, 7:58 a.m.

Indicators

  • f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88
  • 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a
  • ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72
  • bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7
  • 6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc
  • 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066
  • 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef
Download all indicators here!

Attack Patterns

  • AndroxGh0st
  • AndroxGh0st

Linked vulnerabilities

CVE-2017-9841

None
Published:

CVE-2018-15133

None
Published:

CVE-2021-41773

None
Published: