BTC $63442.8276
ETH $3469.7477
BNB $414.4838
SOL $128.8578
XRP $0.6333
ADA $0.7553
DOGE $0.1556
AVAX $42.2817
DOT $9.6926
wstETH $4022.3454
TRX $0.1396
LINK $20.2249
WETH $3455.5461
MATIC $1.0912
UNI $12.3248
WBTC $63402.0644
BCH $454.1971
LTC $89.7149
IMX $3.2697
ICP $13.1197
FIL $10.0810
CAKE $3.2889
ETC $33.3804
LEO $4.7626
ATOM $12.4298
RNDR $7.5236
TON $2.6714
KAS $0.1683
HBAR $0.1120
INJ $39.9268
DAI $0.9998
OKB $57.5556
VET $0.0485
STX $3.0863
FDUSD $0.9998
WEMIX $2.8006
XLM $0.1364
NEAR $4.5218
PEPE $0.0000
XMR $146.1340
LDO $3.3155
GRT $0.3143
ARB $1.9894
THETA $2.3291
TIA $15.9776
ENS $21.4774
CRO $0.1387
BTC $63442.8276
ETH $3469.7477
BNB $414.4838
SOL $128.8578
XRP $0.6333
ADA $0.7553
DOGE $0.1556
AVAX $42.2817
DOT $9.6926
wstETH $4022.3454
TRX $0.1396
LINK $20.2249
WETH $3455.5461
MATIC $1.0912
UNI $12.3248
WBTC $63402.0644
BCH $454.1971
LTC $89.7149
IMX $3.2697
ICP $13.1197
FIL $10.0810
CAKE $3.2889
ETC $33.3804
LEO $4.7626
ATOM $12.4298
RNDR $7.5236
TON $2.6714
KAS $0.1683
HBAR $0.1120
INJ $39.9268
DAI $0.9998
OKB $57.5556
VET $0.0485
STX $3.0863
FDUSD $0.9998
WEMIX $2.8006
XLM $0.1364
NEAR $4.5218
PEPE $0.0000
XMR $146.1340
LDO $3.3155
GRT $0.3143
ARB $1.9894
THETA $2.3291
TIA $15.9776
ENS $21.4774
CRO $0.1387
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Mass distribution of the malicious tool "Legion"

    A new Python-based hacking tool called "Legion" is being sold via Telegram to any willing cybercriminal to initially compromise target systems and gather credentials.

    Legion is a modular malware that, according to Cado Labs, is most likely based on the AndroxGhOst malware and contains modules for iterating over SMTP servers, remote code execution, using vulnerable versions of Apache, iterating cPanel and WebHost Manager accounts, interacting with Shodan API and abuse of AWS services.

    SentinelOne, in its analysis published late last month, suggested that AndroxGh0st is part of a complex toolkit called AlienFox, which is offered to attackers to steal API keys and other useful data from cloud services. However, "developers of similar tools often use each other's code, which makes it difficult to assign programs to a particular group."

    “Legion can obtain credentials from a wide range of web services, such as email providers, cloud services, server management systems, databases, and payment platforms such as Stripe and PayPal,” Cado Labs said.

    The main purpose of malware is to allow attackers to take over services and use the targeted infrastructure for subsequent attacks, including bulk spam and targeted phishing campaigns.

    The researchers even found a public YouTube channel called "Forza Tools" with dozens of tutorial videos on how to properly use Legion. “Apparently, the tool is widespread and is paid malware,” the researchers decided.

    Legion typically targets insecure web servers running content management systems (CMS) and PHP-based frameworks such as Laravel, using regular expression patterns to search for files known to contain authentication tokens, API keys, and other critical data.

    Legion can also obtain AWS credentials from insecure or misconfigured web servers and deliver spam SMS to users of US mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin using stolen SMTP credentials.

    The origin of the attacker who developed the tool remains unknown, although the presence of comments in Indonesian in the source code indicates that the developer may be Indonesian.

    “Because the use of Legion relies heavily on misconfigurations in web server technologies and environments such as Laravel, users of these technologies are advised to review their existing security processes and ensure that sensitive data is stored appropriately,” concluded Cado Labs.
    Author DeepWeb
    A little-known iPhone tweak will allow thieves to permanently take over your account
    Action1 RMM platform used to establish persistence and deploy ransomware

    Comments 0

    Add comment