Description | AndroxGh0st is a malware threat used to gain illicit access to AWS, Twilio, Microsoft Office 365, and SendGrid accounts. |
Scope | AndroxGh0st is a widespread threat with high success rates, making it a prolific cloud threat. AndroxGh0st conducts mass scanning to identify and exploit PHPUnit, Laravel Framework, and Apache Web Servers. In the case of Laravel, AndroxGh0st searches for insecure environment files looking for AWS, Twilio, Microsoft Office 365, and SendGrid credentials. If AWS credentials are found the threat actor will access the victim account, create backdoor users, and abuse SES and other AWS services. |
Solution |
Since Lacework Labs published the initial blog in 2022, we have helped our customers address this threat by triggering over 200 alerts that were the result of AndroxGh0st or functionally similar malware.
|
Additional Resources |
1. https://www.lacework.com/blog/androxghost-the-python-malware-exploiting-your-aws-keys 2. https://www.lacework.com/blog/androxgh0st-in-the-news-exploring-the-malwares-surge-in-attention |