Credential harvesting malware appears on deep web

Cloud-focused credential harvester and spam utilities, used to illicitly extract an organization’s database of usernames, passwords and emails, are on the rise. By some estimates, over 24 billion credentials had been stolen by late 2022. One extraction tool, spotted in the wild by cloud forensics and incident response company Cado Security, is a Python-based malware which Cado dubbed Legion — a tool making it easier to launch business email compromises and other social engineering hacks at scale.

Jump to:

Spamming mobile carrier users

Legion targets various services for email exploitation, according to Cado, whose research indicates that Legion is likely linked to the AndroxGh0st malware family first reported in December 2022. Threat actors are selling Legion on the deep web, via the Telegram messenger (Figure A).

Figure A

According to Cado’s new research, Legion uses servers running content management systems, hypertext preprocessors (or PHPs) and frameworks based on PHPs to grab credentials for email providers, cloud service providers, server management systems, databases and payment platforms like Stripe and PayPal. It can also hijack SMS messages and compromise Amazon Web Services credentials and send SMS spam messages to AT&T, Sprint and Verizon users.

SEE: Mobile Device Security Policy (TechRepublic Premium)

The report said Legion appears to be part of an emerging generation of hacking tools that aim to automate the credential harvesting process to compromise SMTP (email and SMS transfer protocol) services.

Scraping web libraries for phone numbers and other data

According to Matt Muir, threat intelligence researcher at Cado Security, the malware builds up lists of telecoms or area-specific numbers to target using Python web scraping.

“Scraping is the process of extracting useful (often textual) data from web pages. In Legion’s case, the popular Python web scraping library BeautifulSoup is used to scrape telephone numbers from the randomphonenumbers.com website,” he said, adding that it uses SMTP credentials retrieved during the credential harvesting phase to send messages to the numbers.

“Phishing would be an obvious use for this functionality but it can also be useful for general spamming operations,” he said. “If you have a requirement to send SMS messages en masse to random phone numbers then Legion can help with this.”

Cado Labs researchers also found a YouTube channel, “Forza Tools,” that included a “how to”  tutorial series for Legion. The researchers said that the fact that the developer Legion has gone to the effort of creating a video series, suggests that the tool is widely distributed and is likely paid malware (Figure B).

Figure B

Legion shares features with other cloud-centric malware packages

Muir said that while it is difficult to track the provenance of these cloud-focused malware tools because their developers steal code from one another, Legion’s functionality and codebase are similar to those of Andr0xGhost and AlienFox, discovered and named by Lacework and Sentinel Labs, respectively.

“Those malware families also target the same SMTP services as Legion, including AWS SES,” he said, adding that these tools are often distributed via Telegram and their features make them attractive to those wishing to conduct mass spam or phishing operations. According to Muir, Legion is likely sold as a tool under a perpetual license model, through a one-off fee paid to the administrator of the Telegram group where the tool is advertised. He said that this revenue-generating model differs from a subscription or recurring payment typically found in malware-as-a-service products.

“Although we can assume not everybody in these groups will purchase a license for the software, it shows that there is considerable demand for such a tool,” he said. “If even half of the members purchased a license and used the SMTP abuse capabilities for spam or phishing purposes, I don’t think it’s unreasonable to assume that tens of thousands of users would be affected.”

How Legion differs from other credential harvesting tools

Unlike other credential harvesting malware, Legion focuses on compromising SMTP services and exploitation of misconfigured web services to harvest credentials for abuse.

“It also bundles additional functionality traditionally found in more common hack tools, such as the ability to execute web server specific exploit code and brute force account credentials,” said Muir.

He added that Legion does not exploit new vulnerabilities. “Much of the exploit code shipped with the tool is derived from public proof of concepts or based on code from other offensive security tools,” he said, adding that it most likely employs the search engine Shodan, which lets users filter for specific servers on the web — to gather targets.

Users responsible for combatting Legion

Muir said that while carriers probably have monitoring in place to identify when mass spamming is conducted on their infrastructure, a target’s best option is to report suspicious messages immediately and get assistance with identifying and mitigating phishing attacks.

The report pointed out that cloud providers like AWS and Azure are not responsible for these attacks, since they have a shared responsibility model in place that users are obligated to follow.

“Since Legion relies on misconfigurations in services deployed by users, this would likely fall under the user’s remit in a shared responsibility context,” according to the report.

“Legion’s credential harvesting relies on misconfigured web servers with exposed credentials,” explained Muir. “Under CSP shared responsibility models, correct configuration of web servers would be the responsibility of the user rather than the provider, as generally the user is the one deploying and administering the web server.”