Threat actors are selling a novel credential harvester and hacktool via a Telegram channel, which can exploit numerous Web-based services to steal credentials. It also has the bonus ability to launch SMS-based spam attacks that target US-based mobile devices as well, the researchers have found.

Researchers from Cado Security uncovered the Python-based credential stealer, called Legion, which has links to both the AndroxGh0st malware family and another previously discovered malware, they revealed in a blog post published today.

Legion's primary means of attack is to compromise misconfigured Web servers running content management systems (CMS), PHP, or PHP-based frameworks, such as Laravel, the researchers noted. Once installed, it contains several methods for retrieving credentials from the servers: by targeting the Web server software itself, scripting languages, or frameworks on which the server is running. The malware attempts to request resources from these known to contain secrets, parses them, and saves the secrets into results files sorted on a per-service basis, the researchers said.

"One such resource is the .env environment variables file, which often contains application-specific secrets for Laravel and other PHP-based Web applications," wrote Matt Muir, threat intelligence researcher at Cado Security, in the analysis. "The malware maintains a list of likely paths to this file, as well as similar files and directories for other Web technologies."

Legion then marches on to steal credentials from myriad Web-based sources and services —such as email providers, cloud service providers, server-management systems, databases, and payment platforms like Stripe and PayPal, the researchers said. And Legion can brute-force credentials to Amazon Web Services (AWS), which is consistent with similar functionality in AndroxGh0st, according to analysis of that malware by researchers at Lacework, Muir said. 

In addition to credential theft, Legion includes traditional hacktool functionality that can exploit well-known PHP vulnerabilities to register a Webshell or remotely execute malicious code, Muir tells Dark Reading.

"It is an SMTP abuse tool primarily, but it relies on opportunistic exploitation of misconfigured Web services to harvest credentials for said abuse," he says. "It also bundles additional functionality traditionally found in more common hacktools, such as the ability to execute Web-server-specific exploit code and brute force account credentials."

As mentioned, one unique aspect of the malware is that along with stealing credentials and general hacking, it also can automatically send SMS spam messages to mobile network users based in the United States, including subscribers to AT&T, Boost Mobile, Cingular, Sprint, Verizon, and more. This feature is one not often, if ever, seen in a credential harvester, the researchers noted.

This function is fairly basic: It retrieves the area code from the website www.randomphonenumbers.com, then tries different combinations of numbers to find a workable phone number.

"To retrieve the area code, Legion uses Python's BeautifulSoup HTML parsing library," Muir wrote. "A rudimentary number generator function is then used to build up a list of phone numbers to target."

To send the SMS messages themselves, the malware checks for saved SMTP credentials retrieved by one of the credential-harvesting modules, he added.

Widespread Malware Distribution via Telegram

A public Telegram group with more than 1,000 members to which Cado researchers gained access is distributing Legion, which also has a dedicated YouTube channel containing tutorial videos on the malware, the researchers said.

The malware is also being advertised by other Telegram groups to reach about 5,000 users in total. These combined factors indicate that Legion already has a loyal following and is likely a for-purchase offering under a perpetual license model, Muir said.

"While not every member will have purchased a license for Legion, these numbers show that interest in such a tool is high," he wrote in the post. "Related research indicates that there are a number of variants of this malware, likely with their own distribution channels."

While the researchers have not identified the definitive source of Legion, several Indonesian-language comments on the YouTube channel suggest that the developer may be Indonesian or based in Indonesia, and references to user with the handle "my13gion" in the Telegram group also offer clues to its source, they said.

Moreover, in a function dedicated to PHP exploitation, a link to a GitHub Gist leads to a user named Galeh Rizky, with a profile suggesting that this user is located in Indonesia. Still, it's not clear if Rizky is the developer behind Legion, or if his code just happens to be found in the sample analyzed by Cado, the researchers said.

How to Mitigate & Assess Legion's Cyber-Risk

Researchers included a list of indicators of compromise (IoCs), as well as a list of targeted US mobile carriers in the blog post to help organizations or device users know if they've been compromised by Legion or could be a target of the malware, respectively.

Given the malware's reliance on misconfigurations in Web servers or frameworks to access systems, Cado recommends that organizations and other users of these technologies review existing security processes and ensure that secrets are appropriately stored. Moreover, if credentials are stored in a .env file, this file should be outside Web server directories so that it's inaccessible from the Web, the researchers said.

Organizations using cloud providers such as AWS and Microsoft Azure should also keep in mind their shared-responsibility obligations under the terms of use for those platforms to ensure their Web servers are configured properly, Muir says. A compromise by the malware "would likely fall under the user's remit in a shared responsibility context," he says.

Additionally, AWS users should also be aware of Legion's targeting of the platform's identity access management (IAM) and simple email service (SES) in its attempt to gain AWS credentials. To mitigate this risk, organizations should look out for user accounts that show a change in the IAM user registration code to include an "Owner" tag with the hardcoded value "ms.boharas," which is a hallmark of the malware, the researchers said.