Researchers at cloud forensics and incident response platform startup Cado Security Ltd. today announced details of a recently discovered Python-based credential harvester and hacking tool.

Dubbed “Legion,” the credential harvester is being sold via Telegram and is designed to exploit various services for email abuse. The researchers believe that Legion is likely linked to the AndroxGh0st malware family that was first reported in December 2022.

Legion is designed to exploit web servers running content management systems, PHP or PHP-based frameworks. The tool can retrieve credentials for a wide range of web services, such as email providers, cloud service providers, server management systems, databases and payment platforms such as those provided by Stripe Inc. and PayPal Holdings Inc. Legion can hijack SMS messages and compromise Amazon Web Services Inc. credentials.

Modules available for Legion include ones that can enumerate vulnerable SMTP servers, conduct remote code execution, exploit vulnerable versions of Apache, and brute-force cPanel and WebHost Manager accounts. One module also interacts with the application programming interface provided by the Shodan Search Engine to retrieve a target list. Additional modules are also focused on abusing AWS services.

One standout of Legion highlighted by the researcher is its ability to send SMS spam messages to users of mobile networks in the U.S. across all carriers.

Legion is being sold on various Telegram channels and is also being promoted on YouTube through a series of tutorial videos. The researchers note that the fact that the developer behind Legion has gone to the effort of creating YouTube videos suggests that the tool is widely distributed and is likely paid malware.

Though they’re not 100% sure where the malware came from, Cado’s researchers found comments made in Bahasa Indonesia, suggesting that the developer is either Indonesian or is based in Indonesia. A link to a GitHub Gist also leads to a user named “Galeh Rizky,” who has a profile that suggests residence in Indonesia.

“Since this malware relies heavily on misconfigurations in web server technologies and frameworks such as Laravel, it’s recommended that users of these technologies review their existing security processes and ensure that secrets are appropriately stored,” the researchers concluded. “Ideally, if credentials are to be stored in a .env file, which should be stored outside web server directories so that it’s inaccessible from the web.”

Photo: Wallpaper Flare