Threat actors can use a new modular toolkit called 'AlienFox' to scan for misconfigured servers and steal authentication secrets and credentials for cloud-based email services.
The toolkit is sold to cybercriminals through a private Telegram channel, which has become a common transaction channel for malware authors and hackers.
According to SentinelLabs researchers who examined AlienFox, the toolset targets common misconfigurations in popular services such as online hosting frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.
Analysts discovered three versions of AlienFox, indicating that the toolkit's author is actively developing and improving the malicious tool.
AlienFox is after your secrets
AlienFox is a modular toolset made up of a variety of custom tools and modified open-source utilities created by various authors. It is used by threat actors to collect lists of misconfigured cloud endpoints from security scanning platforms such as LeakIX and SecurityTrails.
Then, AlienFox searches the misconfigured servers for sensitive configuration files commonly used to store secrets, such as API keys, account credentials, and authentication tokens, using data-extraction scripts.
1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho are among the cloud-based email platforms targeted. Separate scripts are also included in the toolkit to establish persistence and escalate privileges on vulnerable servers.
According to SentinelLabs, the first version discovered in the wild is AlienFox v2, which focuses on web server configuration and environment file extraction. The malware then parses the files for credentials and attempts to SSH using the Paramiko Python library on the targeted server.
AlienFox v2 also includes a script (awses.py) that automates the sending and receiving of messages on AWS SES (Simple Email Services) as well as the application of elevated privilege persistence to the threat actor's AWS account. Finally, AlienFox 2.0 includes an exploit for CVE-2022-31279, a deserialization vulnerability in the Laravel PHP Framework.
AlienFox v3 added automated key and secret extraction from Laravel environments, and stolen data now included tags indicating the harvesting method. The third version of the kit, in particular, improved performance by including initialization variables, Python classes with modular functions, and process threading.
AlienFox v4 is the most recent version, which includes improved code and script organisation as well as targeting scope expansion. The fourth version of the malware, in particular, includes WordPress, Joomla, Drupal, Prestashop, Magento, and Opencart targeting, an Amazon.com retail site account checker, and an automated cryptocurrency wallet seed cracker for Bitcoin and Ethereum.
The new "wallet cracking" scripts indicate that AlienFox's developer wishes to broaden the toolset's clientele or enhance its capabilities in order to secure subscription renewals from existing customers.
Administrators must ensure that their server configuration is set with the proper access controls, file permissions, and the removal of unnecessary services to protect against this evolving threat.Furthermore, implementing MFA (multi-factor authentication) and monitoring for any unusual or suspicious activity on accounts can aid in the early detection of intrusions.
