Cybercriminals are using a new Python-based credential harvester and SMTP hijacking tool called ‘Legion’ to target online email services for phishing and spam attacks. Legion is being sold on Telegram by a group that calls itself “Forza Tools,” which operates a YouTube channel with tutorials and a Telegram channel with over a thousand members.
Legion is modular malware that is likely based on the AndroxGhOst malware, and it features modules to perform SMTP server enumeration, remote code execution, exploit vulnerable Apache versions, brute-force cPanel and WebHost Manager accounts, interact with Shodan’s API, and abuse AWS services.
Furthermore, Legion targets many services for credential theft, including Twilio, Nexmo, Stripe/Paypal (payment API function), AWS console credentials, AWS SNS, S3 and SES specific, Mailgun, and database/CMS platforms. It can also create administrator users, implant webshells, and send out spam SMS to customers of U.S. carriers.
Additionally, Legion generally targets unsecured web servers running content management systems (CMS) and PHP-based frameworks like Laravel. It uses RegEx patterns to search for files commonly known to hold secrets, authentication tokens, and API keys.
The tool uses an array of methods to retrieve credentials from misconfigured web servers, such as targeting environment variable files (.env) and configuration files that might contain SMTP, AWS console, Mailgun, Twilio, and Nexmo credentials.
At the same time, if Legion captures valid AWS credentials, it attempts to create an IAM user named ‘ses_legion,’ and sets the policy to give it administrator rights, giving the rogue user full access to all AWS services and resources.
The malware can also send SMS spam by leveraging stolen SMTP credentials after generating a list of phone numbers with area codes retrieved from online services.
Finally, Legion can exploit known PHP vulnerabilities to register a webshell on the targeted endpoint or perform remote code execution to give the attacker full access to the server.
