Skip to content Skip to footer

AndroxGh0st Tool Targeting Laravel Applications to Steal Sensitive Data

experts have recently discovered a new tool called AndroxGh0st, designed to target Laravel applications and steal sensitive data. This tool has been classified as an SMTP cracker. It uses various methods such as credential exploitation, web shell deployment, and scanning to SMTP and access vulnerable systems. AndroxGh0st has been detected in the wild since at least 2022 and has been used by threat actors to steal credentials for various cloud-based applications.

The tool scans and extracts essential information from .env files, revealing login details for cloud-based applications like AWS and Twilio. It known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence. AndroxGh0st gains entry through a weakness in Apache identified as CVE-2021-41773 and then additional vulnerabilities, specifically and CVE-2018-15133, to execute code and establish persistent control. This allows the tool to exfiltrate sensitive data from various sources, including .env files, databases, and cloud credentials.

According to Juniper Threat Labs researcher Kashinath T Pattan, attackers have used the tool to create a botnet for “victim identification and exploitation in target networks.” This is a severe concern for experts as the tool can target any vulnerable system, regardless of industry or size.

Moreover, Juniper Threat Labs has observed an increase in activity related to the exploitation of , making it crucial for users to update their instances to the latest version as soon as possible. Most attack attempts targeting their honeypot infrastructure originated from the U.S., U.K., China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia, and India. This indicates that AndroxGh0st is a global threat that can affect any system, regardless of geographical location.

In a separate incident, AhnLab Security Intelligence Center (ASEC) discovered that attackers target vulnerable WebLogic servers in South Korea to distribute a cryptocurrency miner called z0Miner and other tools like fast reverse proxy (FRP). This follows the discovery of a malicious campaign that infiltrates AWS instances to create over 6,000 EC2 instances within minutes and deploy a binary associated with a decentralized content delivery network (CDN) known as Meson Network.

Based in Singapore, Meson Network aims to create the “world's largest bandwidth marketplace” by allowing users to exchange their idle bandwidth and storage resources for tokens. Miners will receive Meson tokens as a reward for providing servers to the platform. The reward is calculated based on the bandwidth and storage provided, incentivizing users to contribute more resources.

In conclusion, AndroxGh0st seriously threatens the security of cloud-based applications and systems. Its ability to known vulnerabilities and steal sensitive data makes it a top priority for experts to find ways to counter the tool's tactics. Awareness and prevention are vital to protecting against AndroxGh0st. Regular updates, strong passwords, and multi-factor authentication are some of the best practices that can help minimize the risks associated with this dangerous tool.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

What you see on these screens up here is a fantasy; a computer enhanced hallucination!Stephen Falken

Deitasoft © 2024. All Rights Reserved.