AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

Juniper Threat Labs has released details on a Python-based tool, dubbed AndroxGh0st, designed to target Laravel applications and steal sensitive data. Laravel is an open-source PHP web application development framework that is used for designing web applications such as e-commerce platforms, APIs, content management systems, etc. In the latest campaigns targeting these applications, AndroGh0st is being used to scan and access Laravel environment files to extract login details associated with various cloud-based services like Amazon Web Services, SendGrid, and Twilio. With access to such cloud environments, actors can deploy additional payloads and retrieve more sensitive data.

Analyst Comments:
Researchers note the reliance on known vulnerabilities by actors behind AndroxGh0st to gain initial access to vulnerable systems and establish a persistent foothold. Notably, initial access is obtained by exploiting a path traversal weakness in Apache (CVE-2021-41773) through the use of a specially crafted URI to the target service, enabling actors to further unveil the contents of arbitrary files on the server. Initial access is followed by the exploitation of two other vulnerabilities, including CVE-2017-9841 (PHPUnit RCE) and CVE-2018-15133 (Laravel Framework RCE), which enable remote code execution, further leading to the deployment of webshells and other payloads for persistent access.

Suggested Corrections:
In the last couple of years, organizations have increasingly relied on cloud services given their cost-effective approach and prompt allocation and utilization of resources (servers, storage, and applications). In short, this has opened a new attack surface for actors to exploit. With actors developing tools like AndroxGh0st to identify and steal credentials for services like AWS, this highlights the need for organizations to proactively secure their cloud environments against potential attacks, which can be accomplished through effective patch management (applying patches for vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773 on a timely manner), the implementation of robust network security measures such as IDS and firewalls to detect and block malicious activities, as well as through the encryption of sensitive data and credentials and employment of multi-factor authentication.