Crooks are exploiting years-old vulnerabilities to deploy Androxgh0st malware and build a cloud-credential stealing botnet, according to the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
In a joint warning issued on Tuesday, the US government agencies said the Python-scripted malware primarily targets .env files that contain user credentials for AWS, Microsoft Office 365, SendGrid, and Twilio. After scanning and exploiting these stolen credentials, Androxgh0st can also be used to deploy web shells, remotely execute code, steal sensitive data, and even spin up new AWS users and instances, we’re told.