AndroxGh0st Malware Actively Used in the Wild

Description

FortiGuard Labs is aware that AndroxGh0st malware is actively used in the field to primarily target .env files that contain confidential information such as credentials for various high profile applications such as - AWS, O365, SendGrid, and Twilio from the Laravel web application framework.

Why is this Significant?

This is significant as AndroxGh0st malware is actively used in the field to target Laravel .env files that contain sensitive information such as credentials for AWS, O365, SendGrid, and Twilio. FortiGuard Labs observes in the wild attempts by the AndroxGh0st malware more than 40,000 Fortinet devices a day.

What is AndroxGh0st Malware?

AndroxGh0st is a Python malware designed to search for and extract .env files from the Laravel Laravel application.

AndroxGh0st supports numerous functions to abuse SMTP such as scanning and exploiting exposed credentials and APIs, and web shell deployment.

What is the Status of Protection?

FortiGuard Labs has the following AV signatures in place for known AndroxGh0st malware samples:

• Python/AndroxGhost.A!tr
• Python/AndroxGhost.HACK!tr
• PHP/AndroxGhost.AZZA!tr
• W32/AndroxGhost.HACK!tr
• W32/AndroxGhost.BEAE!tr
• MSIL/AndroxGhost.HACK!tr

FortiGuard Labs has the following IPS signature in place for AndroxGh0st:

• AndroxGh0st.Malware

Appendix

AndroxGh0st.Malware (Fortinet)