Today, CISA and the FBI released a joint Cybersecurity Advisory (CSA), “Known Indicators of Compromise Associated with Androxgh0st Malware,” to provide network defenders with known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware.

According to the advisory, Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. On these websites, threat actors have attempted to determine if the domain’s root-level .env file is exposed and if they contain credentials for accessing additional services. Multiple investigations are reportedly ongoing regarding Androxgh0st malware’s capability to establish a botnet and further identify and compromise vulnerable networks. CISA and the FBI state that “threat actors exploiting Androxgh0st malware have been observed exploiting specific vulnerabilities which could lead to remote code execution; those common vulnerabilities and exposures (CVE) are CVE-2017-9841 (PHP Unit Command), CVE-2021-41773 (Apache HTTP Server versions) and CVE-2018-15133 (Laravel applications).”

CISA and the FBI recommend network defenders prioritize patching known exploited vulnerabilities in internet-facing systems, review and ensure only necessary servers and services are exposed to the Internet, and review platforms or services that have credentials listed in .env files for unauthorized access or use. Lastly, CISA and the FBI urge every organization to review the advisory, implement recommended mitigations, and validate your organization’s security controls against the threat behaviors mapped to the MITRE ATT&CK. Access the full advisory at CISA.