An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.
Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and WebHost Manager (WHM) accounts.
The malware is said to bear similarities to another malware family called AndroxGh0st that was first documented by cloud security services provider Lacework in December 2022.
Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolset called AlienFox that's offered to threat actors to steal API keys and secrets from cloud services.
"Legion appears to be part of an emerging generation of cloud-focused credential harvester/spam utilities," security researcher Matt Muir told The Hacker News. "Developers of these tools often steal each other's code, making attribution to a particular group difficult."
Besides using Telegram as a data exfiltration point, Legion is designed to exploit web servers running content management systems (CMS), PHP, or PHP-based frameworks like Laravel.
"It can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal," Cado Labs said.
Some of the other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.
The primary goal of the malware is to enable threat actors to hijack the services and weaponize the infrastructure for follow-on attacks, including mounting mass spam and opportunistic phishing campaigns.
The cybersecurity firm said it also discovered a YouTube channel containing tutorial videos on how to use Legion, suggesting that the "tool is widely distributed and is likely paid malware." The YouTube channel, which was created on June 15, 2021, remains active as of writing.
Furthermore, Legion retrieves AWS credentials from insecure or misconfigured web servers and deliver SMS spam messages to users of U.S. mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin.
"To do this, the malware retrieves the area code for a U.S. state of the user's choosing from the website www.randomphonenumbers.com," Muir said. "A rudimentary number generator function is then used to build up a list of phone numbers to target."
Another notable aspect of Legion is its ability to exploit well-known PHP vulnerabilities to register a web shell for persistent remote access or execute malicious code.
The origins of the threat actor behind the tool, who goes by the alias "forzatools" on Telegram, remain unknown, although the presence of Indonesian-language comments in the source code indicates that the developer may be Indonesian or based in the country.
SentinelOne security researcher Alex Delamotte told The Hacker News the latest discovery "highlights some new functionality" that was not previously observed in AlienFox samples and that the two pieces of malware are two distinct toolsets.
"There are many feature overlaps, yet the tools are developed independently and implementation varies," Delamotte explained. "I believe the actors are practicing their own form of business intelligence, watching the features developed by other toolsets and implementing similar features in their own tools."
"Since this malware relies heavily on misconfigurations in web server technologies and frameworks such as Laravel, it's recommended that users of these technologies review their existing security processes and ensure that secrets are appropriately stored," Muir said.
