AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials
Mar 21, 2024
Threat Intelligence / Vulnerability
Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st that's used to target Laravel applications and steal sensitive data. "It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio," Juniper Threat Labs researcher Kashinath T Pattan said . "Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment, and vulnerability scanning." AndroxGh0st has been detected in the wild since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio. Attack chains involving the Python malware are known to exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence. Earlier this January, U