A new AlienFox toolkit has been discovered that allows attackers to look for misconfigured servers by stealing authentication secrets and cloud service credentials, according to researchers at SentinelLabs.
The toolkit is distributed via Telegram and is designed to attack misconfigured hosts in popular services, including online hosting platforms such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress. Analysts have already identified three versions of AlienFox and warn that the author is actively developing his malware.
AlienFox is a modular toolkit that includes various custom tools and modified open source utilities created by various authors. Hackers use AlienFox to create lists of misconfigured cloud endpoints (for example, the LeakIX and SecurityTrails platforms are used for this). AlienFox then uses data extraction scripts and searches misconfigured servers for sensitive configuration files commonly used to store secrets, including API keys, credentials, and authentication tokens.
The malware is mainly interested in the secrets of cloud mail platforms, including 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho.
The toolkit also includes separate scripts for fixing in the system and elevating privileges on vulnerable servers.
SentinelLabs writes that the earliest version found was AlienFox v2, which focuses on web server misconfigurations and file extraction. The malware then searches the files for credentials and verifies them against the target server by trying to connect via SSH using the Paramiko Python library. AlienFox v2 also contains the awses.py script, which automates the sending and receiving of AWS SES (Simple Email Services) messages, and an exploit for the CVE-2022-31279 vulnerability in Laravel PHP Framework.
AlienFox v3 implements automatic extraction of keys and secrets from Laravel environments, and the stolen data contains tags indicating the data collection method used. In addition, the third version of the toolkit has improved performance, with initialization variables, Python classes with modular functions, and process threading.
The newest version of AlienFox is the fourth, with improved code and script organization, as well as an expanded scope. Specifically, AlienFox v4 targets WordPress, Joomla, Drupal, Prestashop, Magento, and Opencart, and comes with an automated Bitcoin and Ethereum wallet seed cracker, helps elevate privileges, and set up automated spam campaigns through compromised accounts.