Evolving AlienFox Malware Steals Cloud Services Credentials
API Security , Cloud Security , Fraud Management & Cybercrime
Attackers Use Toolkit to Harvest API Keys and Secrets From 18 Cloud Providers Prajeet Nair (@prajeetspeaks) • March 31, 2023
Hackers have used a fast-evolving modular toolkit called “AlienFox'” to compromise email and web hosting services at 18 companies.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
SentinelLabs researchers said the adaptable toolkit can easily modified to meet attackers’ needs. The latest iteration of the tool extracts sensitive information such as API keys and secrets from configuration files from service providers such as AWS, Google Workspace, Office365, OneSignal, Twilio, Zoho and more.
Distributed mainly by Telegram, the toolkit scripts are readily available in open source repositories such as GitHub, leading to constant adaptation and variation in the wild.
Alex Delamotte, security researcher at SentinelOne, says threat actors use this toolset to collect lists of misconfigured hosts from security scanning platforms, including LeakIX and SecurityTrails.
These server misconfigurations are associated with popular web frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress.
AlienFox scripts checks for these services and requires a list of targets generated by another script such as grabip.py and grabsite.py.
“The target generation scripts use a combination of brute force for IPs and subnets, as well as web APIs for open-source intelligence platforms to provide details about potential targets,” Delamotte said.
Once a vulnerable server is found, the threat actor gains access to files that store sensitive information, such as services enabled and the associated API keys and secrets.
Researchers have uncovered two versions of the tools beginning with version 2 in February 2022.
Several scripts were summarized as malware families Androxgh0st and GreenBot by other researchers.
Version 2, among the oldest AlienFox toolsets, primarily focuses on extracting credentials from web server configuration or environment files. Researchers said they analyzed the archive that contained output from when an actor ran the tools, which included AWS access and secret keys.
The 3.x version of the AlienFox toolset contains the script Lar.py that automates the extraction of keys and secrets from a compromised web application framework called Laravel.It also logs the results to a text file along with the targeted server details.
“Lar.py is coded in a more mature way than the AlienFox Version 2 scripts and their derivatives. Lar.py applies threading, Python classes with modular functions and initialization variables,” researchers said.