Go to listing page

Legion: A Python-Based Hacking Tool Targets Websites and Web Services

Legion: A Python-Based Hacking Tool Targets Websites and Web Services
A Python-based credential harvester named Legion is being marketed as a tool for threat actors to exploit various online services. This hacking tool shares similarities with another malware family called AndroxGh0st, however, the identified sample has not been detected by any antivirus engines on VirusTotal.

The tales of the Legion

According to Cado Labs, the main goal of Legion is to allow attackers to hijack the services and weaponize the infrastructure for further attacks, such as mounting mass spam and grabbing phishing opportunities.
  • The tool includes modules to scan for and list down vulnerable SMTP servers, perform remote code execution attacks, exploit unpatched Apache servers, and brute-force cPanel and WebHost Manager accounts.
  • It is being sold via Telegram messenger and uses Telegram chat to exfiltrate data. In addition, it is designed to exploit web servers running content management systems, PHP, or PHP-based frameworks such as Laravel.
  • It can steal credentials from different web services, such as cloud service providers, email providers, databases, server management systems, and payment platforms.

Key features

  • Legion obtains AWS credentials from misconfigured web servers and spreads SMS spam to users of U.S. mobile networks, including Sprint, T-Mobile, AT&T,  Virgin, and Verizon.
  • Other targeted services include Twilio, Nexmo, SendGrid, AWS, Mailgun, Plivo, ClickSend, Mailjet, Mandrill, MessageBird, Vonage, OneSignal, Exotel, TokBox, and Clickatell.
  • An additional aspect of Legion is its ability to exploit known PHP vulnerabilities for registering a web shell for executing malicious code or persistent remote access.

Attribution/ Affiliation

Researchers suspect that the Legion is part of an emerging generation of cloud-focused credential harvester utilities, where the authors steal each other's code. This makes attribution of this tool harder. The actors operate as identity Forza Tools on Telegram. The existence of Indonesian comments in the source code suggests that the developer could be Indonesian, however, their real origin is unknown.

What to do?

Legion heavily relies on misconfigurations in online services and, thus, users are advised to review their existing security processes and ensure secrets are stored appropriately. Further, AWS users should be aware of such tools targeting IAM and SES services and should take appropriate steps to strengthen their security posture.
Cyware Publisher

Publisher

Cyware