SECURITY
SECURITY
SECURITY
New Python credential harvester and hacking tool being sold on Telegram
Researchers at cloud forensics and incident response platform startup Cado Security Ltd. today announced details of a recently discovered Python-based credential harvester and hacking tool.
Dubbed “Legion,” the credential harvester is being sold via Telegram and is designed to exploit various services for email abuse. The researchers believe that Legion is likely linked to the AndroxGh0st malware family that was first reported in December 2022.
Legion is designed to exploit web servers running content management systems, PHP or PHP-based frameworks. The tool can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases and payment platforms such as those provided by Stripe Inc. and PayPal Holdings Inc. Legion can hijack SMS messages and compromise Amazon Web Services Inc. credentials.
Modules available for Legion include ones that can enumerate vulnerable SMTP servers, conduct remote code execution, exploit vulnerable versions of Apache, and brute-force cPanel and WebHost Manager accounts. One module also interacts with the application programming interface provided by the Shodan Search Engine to retrieve a target list. Additional modules are also focused on abusing AWS services.
One standout of Legion highlighted by the researcher is its ability to send SMS spam messages to users of mobile networks in the U.S. across all carriers.
Legion is being sold on various Telegram channels and is also being promoted on YouTube through a series of tutorial videos. The researchers note that the fact that the developer behind Legion has gone to the effort of creating YouTube videos suggests that the tool is widely distributed and is likely paid malware.
Though they’re not 100% sure where the malware came from, Cado’s researchers found comments made in Bahasa Indonesia, suggesting that the developer is either Indonesian or is based in Indonesia. A link to a GitHub Gist also leads to a user named “Galeh Rizky,” who has a profile that suggests residence in Indonesia.
“Since this malware relies heavily on misconfigurations in web server technologies and frameworks such as Laravel, it’s recommended that users of these technologies review their existing security processes and ensure that secrets are appropriately stored,” the researchers concluded. “Ideally, if credentials are to be stored in a .env file, which should be stored outside web server directories so that it’s inaccessible from the web.”
Photo: Wallpaper Flare
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
