AlienFox - A Modular Malware Threat That Steals Cloud Credentials

According to SentinelLabs, there is a new toolset called AlienFox that attackers are using to gather credentials for various cloud service providers, including AWS SES and Microsoft Office 365.

This modular toolset is primarily distributed on Telegram in the form of source code archives, with some modules available on GitHub for potential attackers to use. The trend of attacking smaller cloud services that are not suitable for cryptomining is on the rise, as AlienFox enables and expands subsequent campaigns. AlienFox has been evolving regularly, with recurring features suggesting that the developers are becoming increasingly sophisticated.

Actors are using AlienFox to extract information, such as API keys and secrets, from config files that are exposed on victims’ web servers. The later versions of AlienFox include scripts that automate malicious actions using stolen credentials, such as establishing AWS account persistence and privilege escalation, and collecting send quotas and automating spam campaigns using victim accounts or services.

AlienFox is designed to target a variety of web services, but primarily focuses on cloud-based and software-as-a-service (SaaS) email hosting services. The actors are opportunistic and rely on server misconfigurations associated with popular web frameworks like Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. The toolsets contain scripts that check for these services, and the ‘target’ files are generated by a separate script that uses brute force for IPs and subnets, as well as web APIs for open-source intelligence platforms.

When a vulnerable server is identified, the actors extract sensitive information from exposed environment or configuration files, including services enabled and associated API keys and secrets.

AlienFox Keeps Evolving

SentinelOne has discovered three different versions of AlienFox that date back to February 2022, and some of the scripts found have been classified as malware families by other researchers, such as Androxgh0st by Lacework. The fact that all the SES-targeting toolsets analyzed by SentinelOne focus on servers using the Laravel PHP framework could imply that Laravel is particularly vulnerable to misconfigurations or exposures.

AlienFox v4 is structured differently from the other versions, with each tool receiving a numerical identifier such as Tool1 and Tool2. Some new tools have been added that suggest the developers are searching for new users or expanding the capabilities of existing toolkits. For example, one new tool checks whether email addresses are linked to Amazon retail accounts and creates a new Amazon account with the email address if there isn't one. Another tool automates the generation of cryptocurrency wallet seeds for Bitcoin and Ethereum.

Due to its continuous development, it is likely that AlienFox will continue to be used for a long time.

March 31, 2023
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.