is a “SMTP cracker” which is primarily intended to scan for and parse Laravel application secrets from exposed .env files.
(Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio.)
The user-agents are not coincidentally associated with the activity and are almost exclusive to the /.env scans and the python malware.
AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.
Depending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials.
observed of these is to check the email sending limit for the account to assess if it can be leveraged for spamming. This is performed with a call to GetSendQuota.
is to escalate to the AWS management console. This is performed with the following automated tasks:
attempts to create user with compromised credentials – username is hardcoded in malware
creates a login profile for the new user to access the management console. Password is also hard coded in python program
attempts to assign admin privileges to new user
arn:aws:iam::aws:policy/AdministratorAccess
If previous steps are successful, the malware writes login data to a configuration file for later use
deletes original compromised key if management console access is achieved
| Tactic | Technique | ID | Use | GRA Detection |
| Execution | Command and Scripting Interpreter: Python | T1059.006 | The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files. | 3 |
| Persistence | Valid Accounts | T1078 | The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials. | 33 |
| Persistence | Server Software Component: Web Shell | T1505.003 | The threat actor deploys web shells to maintain persistent access to systems. | 1 |
| Persistence | Create Account | T1136 | The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website. | 6 |
| Defense Evasion | Obfuscated Files or Information: Command Obfuscation | T1027.010 | The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie. | 14 |
| Credential Access | TA0006 | The threat actor can access the application key of the Laravel application on the site. | 152 | |
| Credential Access | Unsecured Credentials: Credentials in Files | T1552.001 | The threat actor targets .env files that contain confidential credential information. | 12 |
| Discovery | File and Directory Discovery | T1083 | The threat actor can identify URLs for files outside root directory through a path traversal attack. | 6 |
| Discovery | Network Service Discovery | T1046 | The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning. | 9 |
| Collection | Email Collection | T1114 | The threat actor interacts with application programming interfaces (APIs) to gather information. | 2 |
| Command and Control | Ingress Tool Transfer | T1105 | The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website. | 13 |
About the Author:
Rudra Pratap, Security Research Manager, Gurucul
Rudra Pratap is a Security Research Manager and heads Threat Research at Gurucul with over 12 years of experience in security research and development. Rudra’s expertise spans a wide range of cybersecurity domains, including cloud & endpoint protection, threat detection & response and advanced persistent threats (APTs). He has authored multiple research papers and presented at conferences, sharing insights on topics such as industry threats and cyber espionage campaigns. With a strong background in security research, Rudra has made significant contributions to industry giants like Microsoft and FireEye.
