A threat actor group is using a comprehensive toolset named AlienFox to steal sensitive information such as API keys, authentication secrets, and credentials from cloud service providers and popular services. Adversaries are using security scanning platforms, such as LeakIX and SecurityTrails, to discover misconfigured servers with popular web frameworks.
Prime targets
The most targeted web frameworks include Drupal, Joomla, Laravel, Magento, Opencart, Prestashop, and WordPress.
AlienFox includes multiple scripts that primarily target cloud-based and SaaS email hosting services.
It targets popular cloud services such as AWS, Office 365, Twilio, Zimbra, Zoho, Google Workspace, Nexmo, Twilio, and others.
Fast-evolving toolset
SentinelLabs discovered three variants of AlienFox, dating back to February 2022, containing scripts that automate malicious operations using the stolen credentials.
These scripts enable threat actors to establish persistence and escalate privileges in AWS accounts. They can automate subsequent spam campaigns through compromised accounts and services.
The toolset was primarily available via Telegram, however, some modules are now available on GitHub, leading to constant adaptation and variation in the wild.
Notably, some other malware families, namely Androxgh0st and GreenBot (aka Maintance) are already utilizing AlienFox scripts.
About three variants
The earliest variant AlienFox v2 focuses on web server configuration and environment file extraction. It parses the files for credentials, tests them on the targeted server, and utilizes Python scripts to elevate privilege persistence.
The second variant AlienFox v3 features an exploit for a deserialization vulnerability (CVE-2022-31279) on Laravel PHP Framework. It automates keys and secrets extraction from compromised Laravel environments.
The most recent variant, AlienFoxV4, features initialization variables, Python classes with modular functions, automated cryptocurrency wallet seeds for Bitcoin and Ethereum, and process threading.
Conclusion
Threat actors are using AlienFox to target a variety of cloud services, particularly those susceptible to misconfigurations or exposures. Moreover, it is still under active development and developers are consistently improving code and adding new modules and capabilities. Users are recommended to implement MFA and adhere to configuration management best practices to mitigate such threats.