The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency (CISA) have published an urgent advisory about the Androxgh0st botnet, which is being used to steal cloud credentials from major platforms, including AWS, SendGrid, and Microsoft Office 365.
Initially identified by Lacework Labs in 2022, Androxgh0st is a Python-scripted malware designed to infiltrate and exploit vulnerabilities in various web frameworks and servers, primarily targeting .env files that store sensitive cloud credentials.
Androxgh0st scans for websites and servers using older versions of PHPUnit, PHP web frameworks, and Apache web servers that have known remote code execution (RCE) vulnerabilities.
About 68% of Androxgh0st malware’s SMTP abuses originate from Windows systems, with 87% of attacks executed through Python, according to Lacework Labs’ analysis.
A tell-tale sign of the malware is unusual web requests to specific server locations, CISA said.
Once it identifies a vulnerable system, Androxgh0st extracts credentials from .env files, which often contain access keys for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio.
