The Legion credential harvester.

Cado Security described this morning how the Legion AWS credential harvester, malware intended to target and abuse emails, is working in the wild.

A Python-based credential harvester.

The Legion tool is sold via Telegram, an increasingly important C2C channel. It includes modules dedicated to “enumerating vulnerable SMTP servers, conducting remote code execution (RCE), exploiting vulnerable versions of Apache, brute-forcing cPanel and WebHost Manager (WHM) accounts, interacting with Shodan’s API to retrieve a target list (providing you supply an API key), and additional utilities,” such as abuse of AWS services. This threat actor was potentially tracked by Lacework as “AndroxGh0st” in December of last year. Linguistic signs indicate that the threat may be based in Indonesia.

Legion’s functionality.

This credential harvester seems to primarily target web servers running content management systems or PHP-based frameworks, such as Laravel. The researchers write that “From these targeted servers, the tool uses a number of RegEx patterns to extract credentials for various web services. These include credentials for email providers, cloud service providers (AWS), server management systems, databases and payment systems – such as Stripe and PayPal.” The tool is well adapted to support mass spamming or phishing campaigns. 

Best practices for defense against Legion.

Users of affected technologies are advised to review their existing security processes, and determine if things are appropriately stored. Users of Amazon web services are advised to be on higher alert, given the threat actor’s known targeting practices.