A recently discovered cloud-focused malware tool has seemingly been updated with additional functionality.
The Legion hacktool, marketed in Telegram and in public groups and channels, harvests credentials from misconfigured web servers and use those credentials for email abuse, researchers at Cado Labs, who discovered Legion, said in a blog post.
“In the sample of Legion previously analysed by Cado, the developers included code within a class named ‘legion’ to parse a list of exfiltrated database credentials and extract username and password pairs,” the researchers said. “The function then attempted to use these credentials in combination with a matching host value to log in to the host via SSH–assuming that these credentials were being reused across services.”
The malware uses the Parmiko library to use the credentials within Python.
Researchers noted that the malware hunts “for environment variable files in misconfigured web servers running PHP frameworks such as Laravel,” and then tries to access .env files “by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside.” If misconfigurations have made the paths publicly accessible, “the files are saved and a series of regular expressions are run over their contents,” they explained.