New credential stealing Hacktool targets misconfigured websites (3rd May 2023)

Ref# AL2023_25 | Date: May 3rd 2023

Description  

A new python-based credential harvester and hacktool named Legion targets multiple services and exploits for the purpose of phishing and spam attacks.    

Details 

This modular malware, discovered by researchers at Cado, is said to be related to or based off another recent malware called AndroGh0st. It is available through a public Telegram group called forzatools and features a wide range of features such as: 

  1. Vulnerable SMTP server enumeration  

  1. Remote Code Execution (RCE) 

  1. Vulnerable Apache server exploits  

  1. brute-force attacks (cPanel and WebHost Manager (WHM) accounts) 

  1. Shodans API interaction (an API key is required to retrieve a target list) 

  1. Additional utilities that target AWS services 

Legion primarily targets web servers that run Content Management Systems (CMS), PHP and/or PHP-based frameworks such as Laravel. Depending on the web server software, scripting language or framework in used, the hacktool uses a number of RegEx patterns that attempts to request resources that contain the stored credentials. One popular resource is the .env environments variable file which contains application specific credentials for Laravel and other PHP-based web applications. Legion has a list of possible likely paths to this file that it attempted to access along with other similar files and their respective possible directory paths for other web technologies. Examples of these paths are shown below: 

Apache 

Laravel 

Generic Debug Paths 

/_profiler/phpinfo 

/conf/.env 

/debug/default/view?panel=config 

/tool/view/phpinfo.view.php 

/wp-content/.env 

/tool/view/phpinfo.view.php 

/debug/default/view.html 

/library/.env 

/debug/default/view.html 

/frontend/web/debug/default/view 

/vendor/.env 

/frontend/web/debug/default/view 

/.aws/credentials 

/api/.env 

/web/debug/default/view 

/config/aws.yml 

/laravel/.env 

/sapi/debug/default/view 

/symfony/public/_profiler/phpinfo 

/sites/all/libraries/mailchimp/.env 

/wp-config.php-backup 

 

The full list of services targeted by Legion for credential extraction are:  

Services Targeted 

Twilio 

Plivo 

Nexmo 

Clicksend 

Stripe/Paypal (payment API function) 

Mandrill 

AWS console credentials 

Mailjet 

AWS SNS, S3 and SES specific credentials 

MessageBird 

Mailgun 

Vonage 

Exotel 

Clickatel 

Onesignal 

Tokbox 

Database Administration 

SMTP credentials 

CMS credentials (CPanel, WHM, PHPmyadmin) 

 

 

The researchers noted that Legion seemed more particularly interested in AWS services as the hacktool includes a function aws_generator() dedicated to generating keys to brute-force AWS credentials. However, the researchers concluded that this is a fairly new implementation and it is highly unlikely that it will generate usable results. Regardless, if an AWS credential is obtained, the malware will attempt to create an Identity and Access Management (IAM) user on the service with the hardcoded username ses-legion. An IAM user is an entity that can access the AWS Management Console and interact with AWS resources. The malware intends on creating an AdministratorAccess policy to grant it full access to all services and resources within AWS.  

Legion also has the ability to deliver SMS spam messages to mobile users located in the United States. To achieve this, the user provides a state, and the malware retrieves the area code for the US state from the website www.randomphonenumbers.com. The number is retrieved using a Pythons BeautifulSoup HTML parsing library. A basic number generator function is then used to build up a list of phone numbers to target. The malware then surveys its saved SMTP credentials retrieved by one of its credential harvesting modules and uses that to initiate the SMS spam attack. The list of carriers targeted are:  

US Mobile Carriers Targeted 

Alltel 

Sprint 

Ampd Mobile 

SunCom 

AT&T 

T-Mobile 

Boost Mobile 

VoiceStream 

Cingular 

US Cellular 

Cricket 

Verizon 

Einstein PCS 

Virgin 

Lastly, Legion has the ability to exploit well-known PHP vulnerabilities residing on outdated servers with the purpose of installing web shells or to execute malicious code. 

Indicators of Compromise 

The SHA256 hashes for Legion are listed below: 

  • legion.py – fcd95a68cd8db0199e2dd7d1ecc4b7626532681b41654519463366e27f54e65a 

  • legion.py (variant) – 42109b61cfe2e1423b6f78c093c3411989838085d7e6a5f319c6e77b3cc462f3 

Remediation 

Since Legion relies heavily on misconfigurations and outdated web server technologies and frameworks, it is highly recommended that users hosting any of the targeted technologies review their existing security structures and configurations and ensure that these technologies are up to date with the latest patches. If credentials are stored in an .env file, it is recommended to store these files outside of web server directories so that they are inaccessible from the web.  

PDF Download: Credential stealing Hacktool targets misconfigured websites.pdf

References