SYMBOLCOMMON_NAMEaka. SYNONYMS
py.androxgh0st (Back to overview)

AndroxGh0st

aka: AndroxGhost, Androx

Actor(s): Xcatze


According to Laceworks, this is a SMTP cracker, which is primarily intended to scan for and parse Laravel application secrets from exposed .env files. Note: Laravel is an open source PHP framework and the Laravel .env file is often targeted for its various configuration data including AWS, SendGrid and Twilio. AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of webshells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute force attacks. However, the brute force capability is likely a novelty and is a statistically unlikely attack vector.

References
2022-12-06Lacework LabsLacework Labs
AndroxGh0st – the python malware exploiting your AWS keys
AndroxGh0st Xcatze

There is no Yara-Signature yet.