A new Python-based hacking tool called "Legion" is being sold via Telegram to any willing cybercriminal to initially compromise target systems and gather credentials.
Legion is a modular malware that, according to Cado Labs, is most likely based on the AndroxGhOst malware and contains modules for iterating over SMTP servers, remote code execution, using vulnerable versions of Apache, iterating cPanel and WebHost Manager accounts, interacting with Shodan API and abuse of AWS services.
SentinelOne, in its analysis published late last month, suggested that AndroxGh0st is part of a complex toolkit called AlienFox, which is offered to attackers to steal API keys and other useful data from cloud services. However, "developers of similar tools often use each other's code, which makes it difficult to assign programs to a particular group."
“Legion can obtain credentials from a wide range of web services, such as email providers, cloud services, server management systems, databases, and payment platforms such as Stripe and PayPal,” Cado Labs said.
The main purpose of malware is to allow attackers to take over services and use the targeted infrastructure for subsequent attacks, including bulk spam and targeted phishing campaigns.
The researchers even found a public YouTube channel called "Forza Tools" with dozens of tutorial videos on how to properly use Legion. “Apparently, the tool is widespread and is paid malware,” the researchers decided.
Legion typically targets insecure web servers running content management systems (CMS) and PHP-based frameworks such as Laravel, using regular expression patterns to search for files known to contain authentication tokens, API keys, and other critical data.
Legion can also obtain AWS credentials from insecure or misconfigured web servers and deliver spam SMS to users of US mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin using stolen SMTP credentials.
The origin of the attacker who developed the tool remains unknown, although the presence of comments in Indonesian in the source code indicates that the developer may be Indonesian.
“Because the use of Legion relies heavily on misconfigurations in web server technologies and environments such as Laravel, users of these technologies are advised to review their existing security processes and ensure that sensitive data is stored appropriately,” concluded Cado Labs.