AlienFox toolset used to steal cloud-based email service credentials
A new modular toolkit, AlienFox, allows malicious actors to harvest credentials from multiple cloud service providers, according to SentinelLabs. The toolset is available for sale and primarily distributed on Telegram as source code archives. The modules are also available on GitHub for actors to customize their malicious code to suit their needs.
AlienFox allows its operators to harvest API keys and secrets from popular services such as AWS SES and Microsoft Office 365. The malware targets misconfigured servers running popular web frameworks, including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. It is also able to target secrets for popular cloud-based email platforms, including 1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho.
The most recent version of AlienFox, Version 4, shows a different structure than previous versions. It has added targeting for WordPress, Joomla, Drupal, Prestashop, Magento, and Opencart, as well as an Amazon.com retail site account checker. The latest version also includes Wallet Cracker scripts, Tools 19 (BTC.py) and 20 (ETH.py), which automate cryptocurrency wallet seeds for Bitcoin and Ethereum, respectively.
The spread of AlienFox represents a trend towards attacking more minimal cloud services that are unsuitable for cryptomining. Attackers use AlienFox to identify and collect service credentials from misconfigured or exposed services. AlienFox demonstrates another stage in the evolution of cybercrime in the cloud.
Actors use AlienFox to collect lists of misconfigured hosts from security scanning platforms, including LeakIX and SecurityTrails. They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files exposed on victims’ web servers.
Later versions of the toolset added scripts that automate malicious actions using the stolen credentials, including establishing Amazon Web Services (AWS) account persistence and privilege escalation, and collecting send quotas and automating spam campaigns through victim accounts or services.
The sources for this piece include an article in SecurityAffairs.