Security News > 2023 > May > Legion Malware Upgraded to Target SSH Servers and AWS Credentials
An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services credentials associated with DynamoDB and CloudWatch.
"This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir said in a report shared with The Hacker News.
Legion, a Python-based hack tool, was first documented last month by the cloud security firm, detailing its ability to breach vulnerable SMTP servers in order to harvest credentials.
It's also known to exploit web servers running content management systems, leverage Telegram as a data exfiltration point, and send spam SMS messages to a list of dynamically-generated U.S. mobile numbers by making use of the stolen SMTP credentials.
A notable addition to Legion is its ability to exploit SSH servers using the Paramiko module.
"Misconfigurations in web applications are still the primary method used by Legion to retrieve credentials," Muir said.
News URL
https://thehackernews.com/2023/05/legion-malware-upgraded-to-target-ssh.html
Related news
- AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials (source)
- DinodasRAT malware targets Linux servers in espionage campaign (source)
- AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs (source)
- Researchers sinkhole PlugX malware server with 2.5 million unique IPs (source)
- New Cuttlefish malware infects routers to monitor traffic for credentials (source)
- Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers (source)
- New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials (source)