• United States



CSO Senior Writer

Credential harvesting tool Legion targets additional cloud services

News Analysis
May 24, 20234 mins
Cloud SecurityMalware

Threat actors now use Legion to steal AWS-specific credentials from web servers to enable email and SMS spam campaigns.

A commercial malware tool called Legion that hackers deploy on compromised web servers has recently been updated to extract credentials for additional cloud services to authenticate over SSH. The main goal of this Python-based script is to harvest credentials stored in configuration files for email providers, cloud service providers, server management systems, databases, and payment systems. These hijacked resources enable the attackers to launch email and SMS spam campaigns.

“This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications,” researchers from cloud forensics and incident response firm Cado Security said in a new report. “It’s clear that the developer’s targeting of cloud services is advancing with each iteration.”

Legion is being sold on a private Telegram group and has additional modules that extend its functionality including:

  • Using the Shodan API to find targets
  • Enumerating vulnerable SMTP servers
  • Launching remote code execution (RCE) exploits against web applications
  • Exploiting vulnerable versions of Apache
  • Brute-forcing cPanel and WebHost Manager (WHM) accounts
  • Deploying webshells Other tools for abusing AWS services

The Cado researchers first documented Legion’s capabilities last month, but the malware seems similar to a tool that researchers from Lacework analyzed in December and dubbed AndroxGh0st. Nevertheless, the new improved sample analyzed by Cado had zero detections on the multi-engine scan site Virus Total, meaning its developers are well versed in evading detection.

From server hijacking to spam

The end goal of the attackers who use Legion is to launch mass spam campaigns via email and SMS by using hijacked Simple Mail Transfer Protocol (SMTP) credentials. Some services also provide email to SMS functionality via SMTP and the Legion contains a script for sending SMS in this way to most US mobile carriers.

Some of the cloud platform credentials targeted also seem to be tied to this end goal. For example, collected AWS IAM credentials are tested to see if they work with the Amazon Simple Email Service (SES). The tool also attempts to brute-force credentials for SendGrid, a platform for email marketing.

Other services targeted by Legion’s credential harvesting functionality include ​​Twilio, Nexmo, Stripe/Paypal, AWS console credentials, AWS SNS, S3 and SES specific credentials, Mailgun, Plivo, Clicksend, Mandrill, Mailjet, MessageBird, Vonage, Nexmo, Exotel, Onesignal, Clickatel, and Tokbox.

Some targeted credentials don’t seem to be directly tied to spam but could be used to support the attackers’ operations, such as databases and web hosting administration panels. The new variant observed by Cado also added support for extracting credentials for DynamoDB, Amazon CloudWatch and AWS Owl, an open-source tool for monitoring changes to AWS accounts.

Exploiting vulnerabilities and misconfigurations

Attackers deploy Legion by exploiting vulnerabilities in PHP, Apache or content management solutions which allow them to deploy webshells or remotely execute code on servers. Legion then leverages common misconfigurations in web server permissions, PHP applications or PHP frameworks such as Laravel to access configuration files and files containing environment variables that the attackers know are stored in specific locations. Such files often contain secrets and credentials for databases and services that the web applications require to function.

“Legion attempts to access these .env files by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside,” the Cado researchers explained. “If these paths are publicly accessible, due to misconfigurations, the files are saved and a series of regular expressions are run over their contents.”

The new Legion variant now also tries to access the server over SSH using any database username and pair found in configuration files based on an assumption that the database user might also exist on the Linux system and the same password was used. The SSH access is achieved with a Python library called Paramiko that implements the SSH protocol. This code was also present in the previous version of Legion but was commented out so it was inactive.

If the SSH login succeeds, the malware executes the Linux uname -a shell command, which prints out basic information about the system such as the server’s name, CPU architecture, and operating system version. This tells the attackers that the login is valid and can be used for persistent access to the server in the future.

“It’s recommended that developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files,” the Cado researchers said. If the malware compromises an AWS account, it creates an IAM user with the tag “Owner” set to the value “ms.boharas.” This can serve as a sign of the account being compromised and can be used to build automated detections, the researchers said.