Lacework
Access helpful articles and other FAQs on Lacework
jcondon
Staff
Staff
Article Id 337158
Description AndroxGh0st is a malware threat used to gain illicit access to AWS, Twilio, Microsoft Office 365, and SendGrid accounts.  
Scope AndroxGh0st is a widespread threat with high success rates, making it a prolific cloud threat. AndroxGh0st conducts mass scanning to identify and exploit PHPUnit, Laravel Framework, and Apache Web Servers. In the case of Laravel, AndroxGh0st searches for insecure environment files looking for AWS, Twilio, Microsoft Office 365, and SendGrid credentials. If AWS credentials are found the threat actor will access the victim account, create backdoor users, and abuse SES and other AWS services.  
Solution

Since Lacework Labs published the initial blog in 2022, we have helped our customers address this threat by triggering over 200 alerts that were the result of AndroxGh0st or functionally similar malware. 

Customers should be monitoring for AWS Compromised Credential Composite Alerts, such as the example below. No configuration beyond AWS integration with Lacework is required to enable this detection.
 

androxghost1.jpg

 

Additional Resources

1. https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys 

2. https://www.lacework.com/blog/androxgh0st-in-the-news-exploring-the-malwares-surge-in-attention 

3. https://www.ic3.gov/Media/News/2024/240116.pdf 

Contributors