CISA and the FBI warned today that threat actors using Androxgh0st malware are building a botnet focused on cloud credential theft and using the stolen information to deliver additional malicious payloads.

This botnet was first spotted by Lacework Labs in 2022 and was controlling over 40,000 devices almost one year ago, according to Fortiguard Labs data.

It scans for websites and servers vulnerable to the following remote code execution (RCE) vulnerabilities: CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).

"Androxgh0st is a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework)," the two agencies cautioned.

"Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning and exploiting exposed credentials and application programming interfaces (APIs), and web shell deployment."

Stolen Twilio and SendGrid credentials can be used by the threat actors to conduct spam campaigns impersonating the breached companies.

"Depending on the usage, AndroxGh0st can perform one of two primary functions against acquired credentials. The most commonly observed of these is to check the email sending limit for the account to assess if it can be leveraged for spamming," according to Lacework.

The attackers have also been observed creating fake pages on compromised websites, providing them with a backdoor to access databases containing sensitive information and deploy more malicious tools vital for their operations.

Upon successfully identifying and compromising AWS credentials on a vulnerable website, they've also tried creating new users and user policies.

Furthermore, Andoxgh0st operators use stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet.

FBI and CISA advise network defenders to implement the following mitigation measures to limit the impact of Androxgh0st malware attacks and reduce the risk of compromise:

The FBI also asked for information on Androxgh0st malware from organizations that detect suspicious or criminal activity linked to this threat.

CISA added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog today based on this evidence of active exploitation.

The U.S. cybersecurity agency also ordered federal agencies to secure their systems against these attacks by February 6.

The CVE-2021-41773 Apache HTTP Server path traversal and CVE-2017-9841 PHPUnit command injection vulnerabilities have been added to the catalog in November 2021 and February 2022, respectively.