AndroxGh0st is a potent malware designed to infiltrate Laravel applications, with a specific focus on extracting sensitive data such as AWS and Twilio login credentials from .env files. Initially categorized as an SMTP cracker, it exploits various strategies including SMTP vulnerabilities, web shell deployment, and credential exploitation. Despite its adaptive nature and diverse capabilities, the primary objective remains compromising hosts and extracting crucial information from Laravel applications.
Juniper’s reports shed light on the malware’s menu-driven interface, showcasing its multifunctional features. With options like “awslimitcheck,” “sendgridcheck,” and “twilio_sender,” it offers diverse functionalities tailored for specific tasks. These options enable users to assess AWS account limits, verify SendGrid API keys, and send SMS messages via the Twilio API, among other capabilities.
Moreover, the malware exploits critical vulnerabilities associated with Laravel web applications, including CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. The attack chain initiates with CVE-2021-41773, exploiting Apache weaknesses to gain entry into vulnerable systems. Subsequently, CVE-2017-9841 and CVE-2018-15133 are leveraged to execute arbitrary code and establish persistent control, amplifying the malware’s impact and potency.
