Python/AndroxGhost.HACK!tr

Analysis

Python/AndroxGhost.HACK!tr is classified as a trojan.
A trojan is a type of malware that performs activites without the user’s knowledge.
Below are some of its observed characteristics/behaviours:

• This malware is related to the AndroxGhost outbreak.


• This malware is a hack tool. It is used to scan and parse exposed Laravel .env files for its configuration data/variables. The information obtained from the .env files include mail server details and database information.


• After using this hack tool to gain access to a victim's sensitive data, such as access keys for AWS, an attacker may use the compromised credentials in different ways including phishing, spamming or malicious email campaigns.


• Following are some of the exact file hashes associated with this detection:
  
  • Md5: ed3edb193c62c958c4d5c1de37875bc4
    Sha256: f6f240dc2d32bfd83b49025382dc0a1cf86dba587018de4cd96df16197f05d88
  • Md5: 6f196ea47fdf6d6396df0dc6093682ed
    Sha256: 3b04f3ae4796d77e5a458fe702612228b773bbdefbb64f20d52c574790b5c81a
  • Md5: db9f8fa43bcd9b8675f0aea25a3fe617
    Sha256: 70f35dfd9650437229453570f53969fb1644b1d07f282645c27a3877752a68bd

Outbreak Alert

FortiGuard Labs continue to observe widespread activity of Androxgh0st Malware in the wild exploiting multiple vulnerabilities, specifically targeting- the PHPUnit (CVE-2017-9841), Laravel Framework (CVE-2018-15133) and Apache Web Server (CVE-2021-41773) to spread and conduct information gathering attacks on the target networks

View the full Outbreak Alert Report

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.