A newly developed Python-based credential harvester and hacking tool, dubbed Legion, has surfaced, offering cybercriminals a means of infiltrating various online services for exploitation purposes. The tool is marketed through Telegram, a popular messaging platform.
Cado Labs reports that Legion incorporates multiple modules designed to identify vulnerable SMTP servers, execute remote code execution (RCE) attacks, exploit unpatched Apache instances, and brute-force cPanel and WebHost Manager (WHM) accounts. The malware is believed to have similarities to another malware family, AndroxGh0st, which was initially documented by Lacework, a cloud security services provider, in December 2022.
Last month, cybersecurity company SentinelOne published an analysis that disclosed AndroxGh0st as part of a comprehensive toolset, AlienFox, available to cybercriminals for stealing API keys and secrets from cloud services. According to security researcher Matt Muir, Legion seems to belong to an evolving generation of cloud-focused credential harvester and spam utilities. He told The Hacker News that the developers of these tools frequently steal each other's code, complicating attribution to specific groups.
In addition to utilizing Telegram for data exfiltration, Legion is designed to exploit web servers running content management systems (CMS), PHP, or PHP-based frameworks such as Laravel. Cado Labs stated that Legion can obtain credentials for a broad range of web services, including email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe and PayPal. Other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.
The main objective of the malware is to facilitate cybercriminals' hijacking of services and weaponization of infrastructure for subsequent attacks, including large-scale spam and opportunistic phishing campaigns. The cybersecurity firm also found a YouTube channel containing tutorial videos on Legion usage, indicating that the tool is extensively distributed and possibly paid malware. As of now, the YouTube channel, created on June 15, 2021, remains active.
Moreover, Legion extracts AWS credentials from insecure or improperly configured web servers and sends SMS spam messages to users on U.S. mobile networks, such as AT&T, Sprint, T-Mobile, Verizon, and Virgin. Muir explained that the malware retrieves the area code for a chosen U.S. state from www.randomphonenumbers.com, subsequently employing a basic number generator function to create a list of target phone numbers.
Legion also stands out for its ability to exploit known PHP vulnerabilities to establish a web shell for ongoing remote access or execute malicious code. The identity and origins of the threat actor, who uses the alias "forzatools" on Telegram, remain uncertain. However, the presence of Indonesian-language comments in the source code suggests a possible connection to Indonesia.
SentinelOne security researcher Alex Delamotte informed The Hacker News that the latest discovery demonstrates new functionalities not previously observed in AlienFox samples, indicating that the two malware types are separate toolsets. Delamotte added that while there are numerous feature overlaps, the tools have been independently developed and exhibit varying implementations. He believes that the actors involved engage in their own form of business intelligence, monitoring features developed by other toolsets and incorporating similar features into their own tools.
Muir advised users of web server technologies and frameworks, such as Laravel, to review their existing security processes and ensure proper storage of secrets, given the malware's heavy reliance on these technologies' misconfigurations.
