Python/AndroxGhost.HACK!tr
Analysis
Python/AndroxGhost.HACK!tr is classified as a trojan.
A trojan is a type of malware that performs activites without the user’s knowledge.
Below are some of its observed characteristics/behaviours:
- This malware is related to the AndroxGhost outbreak.
- This malware is a hack tool. It is used to scan and parse exposed Laravel .env files for its configuration data/variables. The information obtained from the .env files include mail server details and database information.
- After using this hack tool to gain access to a victim's sensitive data, such as access keys for AWS, an attacker may use the compromised credentials in different ways including phishing, spamming or malicious email campaigns.
- Following are some of the exact file hashes associated with this detection:
- Md5: ed3edb193c62c958c4d5c1de37875bc4
Sha256: f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88 - Md5: 6f196ea47fdf6d6396df0dc6093682ed
Sha256: 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a - Md5: db9f8fa43bcd9b8675f0aea25a3fe617
Sha256: 70f35dfd9650437229453570f53969fb1644b1d07f282645c27a3877752a68bd
- Md5: ed3edb193c62c958c4d5c1de37875bc4
Outbreak Alert
FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |