virus logo Outbreak Alert

Androxgh0st Malware Attack

Released: Jan 17, 2024

Updated: Jan 31, 2024

Download PDF »

Androxgh0st Malware

High Severity

Apache, PHP Vendor

Malware Type

Watch Video

Subscribe

Actively stealing credentials in the wild

FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks Learn More »

Common Vulnerabilities and Exposures

CVE-2021-41773
CVE-2018-15133
CVE-2017-9841

Background

AndroxGh0st malware is a python-based malware, which primarily targets user environment (.env) files. These files may contain credentials for various high-profile applications such as AWS, O365, SendGrid, and Twilio. AndroxGh0st has numerous malicious functions to abuse SMTP, scan and exploit exposed credentials and APIs, and deploy web shell to maintain persistent access to systems

Threat Radar Overall Score:
CVSS Rating 9.8
FortiRecon Score 92/100
Known Exploited Yes
Exploit Prediction Score 97.48%
FortiGuard Telemetry 93200

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Fortinet customers remain protected by the IPS signatures for all related vulnerabilities (CVE-2021-41773, CVE-2017-9841, CVE-2018-15133) however, users are requested to review the related CVEs and make sure all operating systems, software, and firmware up to date.

  • January 16, 2024: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint Cybersecurity Advisory (CSA) to share known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware.

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

  • January 01, 2024: FortiGuard Labs continue to block AndroxGh0st malware activity on more than 40,000+ unique FortiGate devices a day on average.

  • March 17, 2023: FortiGuard Labs released a Threat Signal

    https://www.fortiguard.com/threat-signal-report/5066

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT

  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

DETECT

  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Cloud Threat Detection

RESPOND

  • Assisted Response Services

  • Automated Response

RECOVER

  • NOC/SOC Training

  • End-User Training

IDENTIFY

  • Attack Surface Monitoring (Inside & Outside)

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...