Androxgh0st Malware Attack

Released: Jan 17, 2024

Updated: Jan 31, 2024


High Severity

Apache, PHP Vendor

Malware Type


Actively stealing credentials in the wild

FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks Learn More »

Common Vulnerabilities and Exposures

CVE-2021-41773
CVE-2018-15133
CVE-2017-9841

Background

AndroxGh0st malware is a python-based malware, which primarily targets user environment (.env) files. These files may contain credentials for various high-profile applications such as AWS, O365, SendGrid, and Twilio. AndroxGh0st has numerous malicious functions to abuse SMTP, scan and exploit exposed credentials and APIs, and deploy web shell to maintain persistent access to systems

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


Fortinet customers remain protected by the IPS signatures for all related vulnerabilities (CVE-2021-41773, CVE-2017-9841, CVE-2018-15133) however, users are requested to review the related CVEs and make sure all operating systems, software, and firmware up to date.

  • January 16, 2024: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint Cybersecurity Advisory (CSA) to share known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware.

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a
  • January 01, 2024: FortiGuard Labs continue to block AndroxGh0st malware activity on more than 40,000+ unique FortiGate devices a day on average.

  • March 17, 2023: FortiGuard Labs released a Threat Signal

    https://www.fortiguard.com/threat-signal-report/5066

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • AV

  • AV (Pre-filter)

  • IPS

  • Web App Security

DETECT
  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Cloud Threat Detection

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • NOC/SOC Training

  • End-User Training

IDENTIFY
  • Attack Surface Monitoring (Inside & Outside)

  • Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b... file Active
6e25ad03103a1a972b78c642bac09060fa79c460011dc57... file Active
dd603db3e2c0800d5eaa262b6b8553c68deaa486b545d49... file Active
240fe01d9fcce5aae311e906b8311a1975f8c1431b83618... file Active
45.137.155.55 ip Active
http://31.210.20.120/ldr.sh url Active
http://194.145.227.21/ldr.sh url Active
http://194.145.227.21/sysrv url Active
194.145.227.21 ip Active
195.19.192.28 ip Active
http://195.19.192.28/kinsing url Active
45.146.164.110 ip Active
3c1a2e702e7079f9d49373049eff5e59fcf35d526b7a157... file Active
161.35.188.242 ip Active
89.248.173.143 ip Active
143.198.62.76 ip Active
46.101.59.235 ip Active
137.184.69.137 ip Active
http://195.19.192.28/ap.sh url Active
202.28.250.122:51783 ip Active
45.146.164.110:48238 ip Active
202.28.250.122:42323 ip Active
46.101.59.235:44008 ip Active
128.14.134.170 ip Active
128.14.134.134 ip Active
192.53.170.243 ip Active
http://heuristic-hermann-392016.netlify.app/stg... url Active
heuristic-hermann-392016.netlify.app domain Active
202.28.250.122 ip Active
https://52.220.244.242/stg_ntf.sh url Active
139.59.126.50 ip Active
128.90.166.247 ip Active
128.90.161.152 ip Active
128.90.166.31 ip Active
157.119.200.185 ip Active
163.172.173.238 ip Active
155.138.142.87 ip Active
185.111.51.118 ip Active
185.225.17.102 ip Active
89.46.62.130 ip Active
140.213.59.194 ip Active
157.230.212.97 ip Active
157.230.216.201 ip Active
157.245.51.232 ip Active
185.191.32.198 ip Active
http://185.191.32.198/ap.sh url Active
http://45.137.155.55/ap.sh url Active
http://45.137.155.55/kinsing url Active
http://195.19.192.28/libsystem.so url Active
http://45.137.155.55/libsystem.so url Active
nervous-hodgkin-5c3bb4.netlify.app domain Active
amazing-nightingale-3617e1.netlify.app domain Active
3b5ffd88a9762c68de551e63243fcc0549e3c31784285b3... file Active
fd7e26f48dfb68284f5acda50eedb8e9a964fb8b8a1dbb2... file Active
a025a8b424c23856c42dbebcb67ff7c60c6cfd13aa12fce... file Active
4fc7113ed150895587635fa58b8be66a32f2d41b06807ac... file Active
1489c404a110149b66476e0f41317770f0291da64a0d4b3... file Active
dd303c2644c2a58cf466a19f7c801aeae43a63d4efd5670... file Active
b8a146284e8abf867ed86ff6cc4ee44648e47c7e857d5d2... file Active
93167030a5bb32e8d777f04a0853b2a55a0ae91a634afbc... file Active
428340a0695393a0cec55513e700a479e252d9b034f27f8... file Active
61c0449a48cf9351f157d89deff88bd4df2ab5c1091b350... file Active
9691bf237d879299984abb23b25ffb51a0f00567a364899... file Active
aaee6e01f4192caea86645bea741d85c240083b55341e47... file Active
feb4541172610b742552d3ee4bc9b114e9bf0d11dfff153... file Active
747ceb6c37bae5670b0c469c998c66e58b4ec310ab8ddf3... file Active
5aa0da717d2e88682203f2831bfb550ed8530d98bed9232... file Active
fca6e56e74f94b29674528a8c4e82898f1ca7dc62b4a7d5... file Active
4d1e20ef6d88436a7246e79987e71238021dbbbb80a3bc8... file Active
cd291d2b3933ab914eed36d3c9c0200ae864fb4a5d29fb5... file Active
62f854be8c9876e84a920231bdf7bbe0757beb609486aa3... file Active
73ef742834dfa72668fc423bd43204456c2f4effef5a99a... file Active
e94f04e2822fc7e2406cf2ad8f0d1e0359a13647cf26a8f... file Active
3b0a31a6889d129324d922b8861a6f06101ea9bc6a89bd7... file Active
73a7aa23e68c0bd6bd6960327cf0a24217544a913f83b85... file Active
c5d9345a8a49f1109c2fcd1c649ceaa94421e6c3804284f... file Active
7f2b0f01547d7d43c8bd33206faf78d6500a7f6f2a9e661... file Active
b3215074ddb18e43771a51f3d3c8c49571bbf69b33b8bbb... file Active
116.203.212.184 ip Active
116.203.212.184:10202 ip Active
4974b73fec5486a9a610c98f2c5c79ac4eb397432e87697... file Active
81e1f64367bdcab5f0f676a128c6a69c24785ad9ac1ddb0... file Active
88c4ee0c9ff7cd107ddefe300ff1b6be6c488c82e5dcf35... file Active
8bfab391e1027d198a4a419eab811eb27728cc3d3701ec9... file Active
993276e4153e012baaefcc0550b2ddcfc0ee0ba1542c8df... file Active
aecfc1cc1ec5da19ad4c302b715d45a8df86f242f63e194... file Active
blueheaven.live domain Active
cc89df1069b17555b87f33cece5b1cd954116d70d889cf6... file Active
http://rr.blueheaven.live/1010/b64.php url Active
http://rr.blueheaven.live/1010/cmd.php url Active
http://rr.blueheaven.live/1010/ip.php url Active
http://rr.blueheaven.live/1010/ipvr.php url Active
http://rr.blueheaven.live/1010/online.php url Active
http://rr.blueheaven.live/1010/post.php url Active
http://rr.blueheaven.live/1010/src.php url Active
http://rr.blueheaven.live/1010/tools url Active
http://rr.blueheaven.live/1010/tools/ url Active
rr.blueheaven.live domain Inactive
202.28.229.174 ip Active
http://202.28.229.174/sys.x86_64 url Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0