On January 16, 2024, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) that disseminates known Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with threat actors deploying Androxgh0st malware.
AndroxGh0st is a Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high-profile applications. This malware contains multiple features to enable Simple Mail Transfer Protocol (SMTP) abuse, including network scanning and exploitation of exposed credentials and APIs. In turn, it is capable of deploying web shells to gain persistence.
Multiple investigations and trusted third-party reporting provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.
AttackIQ has released a new assessment template that groups together those malware samples related to the activities associated with AndroxGh0st since December 2022, with the aim of helping customers validate their security controls and their ability to defend against this specific threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:
- Assess their security posture against a sophisticated and advanced threat, which does not discriminate when it comes to selecting its targets.
- Continuously validate detection and prevention pipelines against widely identified malware samples.
[CISA AA24-016A] Known Indicators of Compromise Associated with Androxgh0st Malware
This assessment template contains a collection of the different malware samples linked to the activities associated with AndroxGh0st, identified since December 2022. These malware families include:
- AndroxGh0st: Python-scripted malware primarily used to target .env files that contain confidential information, such as credentials for various high-profile applications.
- Marijuana: PHP-based web shell used as a stealthy backdoor to bypass server security. Each function is coded to overcome Web Application Firewalls (WAFs).
- GrayHat Phantom: Web shell designed to bypass modern Web Application Firewalls (WAFs). It employs an obfuscation technique similar to that used by the Marijuana web shell.
- IndoXploit: PHP-based web shell that offers a set of unique and useful features. This shell allows the user to conveniently bypass server firewalls.
- XMRig: Cryptocurrency mining software designed to mine Monero (XMR).
Detection and Mitigation Opportunities
Since this assessment template focuses on the malware samples linked to the activities associated with this threat, AttackIQ recommends reviewing the detection and mitigation recommendations provided by the Cybersecurity and Infrastructure Security Agency (CISA) to adapt them to your environment first to determine if you have any existing impact before reviewing the assessment results.
In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the activities associated with this threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness.
AttackIQ stands at the ready to help security teams implement this assessment template and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.