BTC $65266.0064
ETH $3170.2759
BNB $579.9567
SOL $151.5810
stETH $3170.3792
XRP $0.5307
DOGE $0.1622
TON $6.2152
ADA $0.5047
AVAX $37.5087
wstETH $3690.1011
WBTC $65350.8728
DOT $7.1858
WETH $3168.2550
TRX $0.1112
BCH $512.3933
LINK $14.9136
MATIC $0.7262
ICP $15.2978
UNI $7.8248
LTC $85.1449
DAI $1.0008
RNDR $9.1190
CAKE $2.9399
IMX $2.1935
STX $2.8650
ETC $27.9082
FDUSD $0.9998
MNT $1.2003
NEAR $6.3271
FIL $6.6129
OKB $55.7832
HBAR $0.0909
TAO $475.1056
VET $0.0423
WIF $3.0785
ATOM $8.6865
MKR $3070.6157
KAS $0.1185
FET $2.4759
GRT $0.2860
INJ $29.1371
PEPE $0.0000
USDE $0.9998
XLM $0.1150
THETA $2.2569
XMR $121.6010
BTC $65266.0064
ETH $3170.2759
BNB $579.9567
SOL $151.5810
stETH $3170.3792
XRP $0.5307
DOGE $0.1622
TON $6.2152
ADA $0.5047
AVAX $37.5087
wstETH $3690.1011
WBTC $65350.8728
DOT $7.1858
WETH $3168.2550
TRX $0.1112
BCH $512.3933
LINK $14.9136
MATIC $0.7262
ICP $15.2978
UNI $7.8248
LTC $85.1449
DAI $1.0008
RNDR $9.1190
CAKE $2.9399
IMX $2.1935
STX $2.8650
ETC $27.9082
FDUSD $0.9998
MNT $1.2003
NEAR $6.3271
FIL $6.6129
OKB $55.7832
HBAR $0.0909
TAO $475.1056
VET $0.0423
WIF $3.0785
ATOM $8.6865
MKR $3070.6157
KAS $0.1185
FET $2.4759
GRT $0.2860
INJ $29.1371
PEPE $0.0000
USDE $0.9998
XLM $0.1150
THETA $2.2569
XMR $121.6010
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Mass distribution of the malicious tool "Legion"

    A new Python-based hacking tool called "Legion" is being sold via Telegram to any willing cybercriminal to initially compromise target systems and gather credentials.

    Legion is a modular malware that, according to Cado Labs, is most likely based on the AndroxGhOst malware and contains modules for iterating over SMTP servers, remote code execution, using vulnerable versions of Apache, iterating cPanel and WebHost Manager accounts, interacting with Shodan API and abuse of AWS services.

    SentinelOne, in its analysis published late last month, suggested that AndroxGh0st is part of a complex toolkit called AlienFox, which is offered to attackers to steal API keys and other useful data from cloud services. However, "developers of similar tools often use each other's code, which makes it difficult to assign programs to a particular group."

    “Legion can obtain credentials from a wide range of web services, such as email providers, cloud services, server management systems, databases, and payment platforms such as Stripe and PayPal,” Cado Labs said.

    The main purpose of malware is to allow attackers to take over services and use the targeted infrastructure for subsequent attacks, including bulk spam and targeted phishing campaigns.

    The researchers even found a public YouTube channel called "Forza Tools" with dozens of tutorial videos on how to properly use Legion. “Apparently, the tool is widespread and is paid malware,” the researchers decided.

    Legion typically targets insecure web servers running content management systems (CMS) and PHP-based frameworks such as Laravel, using regular expression patterns to search for files known to contain authentication tokens, API keys, and other critical data.

    Legion can also obtain AWS credentials from insecure or misconfigured web servers and deliver spam SMS to users of US mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin using stolen SMTP credentials.

    The origin of the attacker who developed the tool remains unknown, although the presence of comments in Indonesian in the source code indicates that the developer may be Indonesian.

    “Because the use of Legion relies heavily on misconfigurations in web server technologies and environments such as Laravel, users of these technologies are advised to review their existing security processes and ensure that sensitive data is stored appropriately,” concluded Cado Labs.
    Author DeepWeb
    A little-known iPhone tweak will allow thieves to permanently take over your account
    Action1 RMM platform used to establish persistence and deploy ransomware

    Comments 0

    Add comment