New hacktool steals credentials from misconfigured websites

Hand reaching through laptop screen to steal data

A brand new Python-based credential harvester and SMTP hijacking device named ‘Legion’ is being bought on Telegram that goals on-line electronic mail products and services for phishing and junk mail assaults.

Legion is bought via cybercriminals who use the “Forza Gear” moniker and perform a YouTube channel with tutorials and a Telegram channel with over one thousand participants.

Forza Tools tutorials on YouTube
Forza Gear tutorials on YouTube (Cado)

Legion is modular malware which, in keeping with Cado, is most probably according to the AndroxGhOst malware and contours modules to accomplish SMTP server enumeration, far flung code execution, exploit prone Apache variations, brute-force cPanel and WebHost Supervisor accounts, have interaction with Shodan’s API, and abuse AWS products and services.

The device goals many products and services for credential robbery, together with Twilio, Nexmo, Stripe/Paypal (cost API serve as), AWS console credentials, AWS SNS, S3 and SES particular, Mailgun, and database/CMS platforms.

All services targeted by Legion
All products and services focused via Legion (Cado)

Except extracting credentials and breaching internet products and services, Legion too can create administrator customers, implant webshells, and ship out junk mail SMS to consumers of U.S. carriers.

Harvesting credentials

Legion usually goals unsecured internet servers operating content material control techniques (CMS) and PHP-based frameworks like Laravel via the use of RegEx patterns to seek for information frequently recognized to carry secrets and techniques, authentication tokens, and API keys.

The device makes use of an array of easy methods to retrieve credentials from misconfigured internet servers, like focused on setting variable information (.env) and configuration information that may include SMTP, AWS console, Mailgun, Twilio, and Nexmo credentials.

Paths parsed by Legion for stored secrets
Paths parsed via Legion for saved secrets and techniques (Cado)

But even so making an attempt to reap AWS credentials, Legion additionally includes a brute-forcing machine to bet them.

Alternatively, Cado feedback that it’s statistically not going that the program can generate usable credentials in its present state. A equivalent function is incorporated for brute-forcing SendGrid credentials.

Code to brute-force AWS credentials
Code to brute-force AWS credentials (Cado)

Without reference to how the credentials are got, Legion will use them to realize get entry to to electronic mail products and services and ship out junk mail or phishing emails.

If Legion captures legitimate AWS credentials, it makes an attempt to create an IAM consumer named ‘ses_legion,’ and units the coverage to present it administrator rights, giving the rogue consumer complete get entry to to all AWS products and services and assets.

IAM policy creation
IAM coverage introduction (Cado)

Legion too can ship SMS junk mail via leveraging stolen SMTP credentials after producing a listing of telephone numbers with house codes retrieved from on-line products and services.

The carriers supported via the malware come with AT&T, Dash, US Mobile, T-Cell, Cricket, Verizon, Virgin, SunCom, Alltel, Cingular, VoiceStream, and extra.

After all, Legion can exploit recognized PHP vulnerabilities to sign in a webshell at the focused endpoint or carry out far flung code execution to present the attacker complete get entry to to the server.

In conclusion, Legion is an all-purpose credential harvester and hacking device gaining traction on this planet of cybercrime, expanding the danger for poorly controlled and misconfigured internet servers.

AWS customers must search for indicators of compromise, like converting the IAM consumer license plate to incorporate an “Proprietor” tag with the worth “ms.boharas.”

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: