AndroxGh0st Malware Actively Used in the Wild

Description

FortiGuard Labs is aware that AndroxGh0st malware is actively used in the field to primarily target .env files that contain confidential information such as credentials for various high profile applications such as - AWS, O365, SendGrid, and Twilio from the Laravel web application framework.


Why is this Significant?

This is significant as AndroxGh0st malware is actively used in the field to target Laravel .env files that contain sensitive information such as credentials for AWS, O365, SendGrid, and Twilio. FortiGuard Labs observes in the wild attempts by the AndroxGh0st malware more than 40,000 Fortinet devices a day.


What is AndroxGh0st Malware?

AndroxGh0st is a Python malware designed to search for and extract .env files from the Laravel Laravel application.

AndroxGh0st supports numerous functions to abuse SMTP such as scanning and exploiting exposed credentials and APIs, and web shell deployment.


What is the Status of Protection?

FortiGuard Labs has the following AV signatures in place for known AndroxGh0st malware samples:

  • Python/AndroxGhost.A!tr
  • Python/AndroxGhost.HACK!tr
  • PHP/AndroxGhost.AZZA!tr
  • W32/AndroxGhost.HACK!tr
  • W32/AndroxGhost.BEAE!tr
  • MSIL/AndroxGhost.HACK!tr

FortiGuard Labs has the following IPS signature in place for AndroxGh0st:

  • AndroxGh0st.Malware

description-logoOutbreak Alert

FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks

View the full Outbreak Alert Report

Telemetry

Appendix

AndroxGh0st.Malware (Fortinet)