Description
A new python-based credential harvester and hacktool named Legion targets multiple services and exploits for the purpose of phishing and spam attacks.
Details
This modular malware, discovered by researchers at Cado, is said to be related to or based off another recent malware called AndroGh0st. It is available through a public Telegram group called forzatools and features a wide range of features such as:
Vulnerable SMTP server enumeration
Remote Code Execution (RCE)
Vulnerable Apache server exploits
brute-force attacks (cPanel and WebHost Manager (WHM) accounts)
Shodans API interaction (an API key is required to retrieve a target list)
Additional utilities that target AWS services
Legion primarily targets web servers that run Content Management Systems (CMS), PHP and/or PHP-based frameworks such as Laravel. Depending on the web server software, scripting language or framework in used, the hacktool uses a number of RegEx patterns that attempts to request resources that contain the stored credentials. One popular resource is the .env environments variable file which contains application specific credentials for Laravel and other PHP-based web applications. Legion has a list of possible likely paths to this file that it attempted to access along with other similar files and their respective possible directory paths for other web technologies. Examples of these paths are shown below:
|
Apache |
Laravel |
Generic Debug Paths |
|
/_profiler/phpinfo |
/conf/.env |
/debug/default/view?panel=config |
|
/tool/view/phpinfo.view.php |
/wp-content/.env |
/tool/view/phpinfo.view.php |
|
/debug/default/view.html |
/library/.env |
/debug/default/view.html |
|
/frontend/web/debug/default/view |
/vendor/.env |
/frontend/web/debug/default/view |
|
/.aws/credentials |
/api/.env |
/web/debug/default/view |
|
/config/aws.yml |
/laravel/.env |
/sapi/debug/default/view |
|
/symfony/public/_profiler/phpinfo |
/sites/all/libraries/mailchimp/.env |
/wp-config.php-backup |
The full list of services targeted by Legion for credential extraction are:
|
Services Targeted |
|
|
Twilio |
Plivo |
|
Nexmo |
Clicksend |
|
Stripe/Paypal (payment API function) |
Mandrill |
|
AWS console credentials |
Mailjet |
|
AWS SNS, S3 and SES specific credentials |
MessageBird |
|
Mailgun |
Vonage |
|
Exotel |
Clickatel |
|
Onesignal |
Tokbox |
|
Database Administration |
SMTP credentials |
|
CMS credentials (CPanel, WHM, PHPmyadmin) |
|
The researchers noted that Legion seemed more particularly interested in AWS services as the hacktool includes a function aws_generator() dedicated to generating keys to brute-force AWS credentials. However, the researchers concluded that this is a fairly new implementation and it is highly unlikely that it will generate usable results. Regardless, if an AWS credential is obtained, the malware will attempt to create an Identity and Access Management (IAM) user on the service with the hardcoded username ses-legion. An IAM user is an entity that can access the AWS Management Console and interact with AWS resources. The malware intends on creating an AdministratorAccess policy to grant it full access to all services and resources within AWS.
Legion also has the ability to deliver SMS spam messages to mobile users located in the United States. To achieve this, the user provides a state, and the malware retrieves the area code for the US state from the website www.randomphonenumbers.com. The number is retrieved using a Pythons BeautifulSoup HTML parsing library. A basic number generator function is then used to build up a list of phone numbers to target. The malware then surveys its saved SMTP credentials retrieved by one of its credential harvesting modules and uses that to initiate the SMS spam attack. The list of carriers targeted are:
|
US Mobile Carriers Targeted |
|
|
Alltel |
Sprint |
|
Ampd Mobile |
SunCom |
|
AT&T |
T-Mobile |
|
Boost Mobile |
VoiceStream |
|
Cingular |
US Cellular |
|
Cricket |
Verizon |
|
Einstein PCS |
Virgin |
Lastly, Legion has the ability to exploit well-known PHP vulnerabilities residing on outdated servers with the purpose of installing web shells or to execute malicious code.
Indicators of Compromise
The SHA256 hashes for Legion are listed below:
legion.py – fcd95a68cd8db0199e2dd7d1ecc4b7626532681b41654519463366e27f54e65a
legion.py (variant) – 42109b61cfe2e1423b6f78c093c3411989838085d7e6a5f319c6e77b3cc462f3
Remediation
Since Legion relies heavily on misconfigurations and outdated web server technologies and frameworks, it is highly recommended that users hosting any of the targeted technologies review their existing security structures and configurations and ensure that these technologies are up to date with the latest patches. If credentials are stored in an .env file, it is recommended to store these files outside of web server directories so that they are inaccessible from the web.
PDF Download: Credential stealing Hacktool targets misconfigured websites.pdf
References
Toulas, B. (2023, April 13). Legion: New hacktool steals credentials from misconfigured sites. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/legion-new-hacktool-steals-credentials-from-misconfigured-sites/
Muir, M. (2023, April 13). Legion: an AWS Credential Harvester and SMTP Hijacker. Retrieved from Cado Security. https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/