Threat Research: Legion Hacking Tool
What is the Legion Hacking Tool?
Legion, a new Python-based credential harvester and Simple Mail Transfer Protocol (SMTP) hijacking tool, has been developed to target online email services for phishing and spam campaigns, and is being advertised for sale on Telegram. The malware is primarily intended to scan for and parse Laravel application secrets from exposed user environment variables (.env) files. The tool targets many services for credential theft, including payment API functions, Amazon Web Services (AWS) console credentials – AWS SNS, S3 and SES specifically – Mailgun, and database/content management systems (CMS) platforms. The threat actor behind Legion listed the features as: performs SMTP server enumeration, remote code execution, exploit vulnerable Apache versions, brute-force cPanel and WebHost Manager accounts, interact with Shodan’s API, and abuse AWS services. Additionally, the malware can create administrator users, implant webshells, and send out spam SMS messages to customers in the United States. The carriers impacted by the malware include AT&T, Sprint, US Cellular, T-Mobile, Cricket, Verizon, Virgin, SunCom, Alltel, Cingular, and VoiceStream among others.
Legion Hacking Tool Background
Little is currently known about Legion malware, but it is assessed that the threat actor that developed it is mimicking and improving upon features offered by AndroxGh0st and Alienfox. Legion relies on opensource tools to find vulnerabilities with configurations or initial phishing and spam campaigns as an initial access point. Legion also offers configuration capabilities to the user that allow the integration of Twilio and Shodan services. Twilio provides programmable communication tools for phone calls and SMS messaging through web service APIs. While Shodan allows users to search servers connected to the internet, in which it scraps those servers’ metadata and sends the information to the user.
The improved features of Legion have attracted a large number of followers with the Telegram channel showing over 1,000 members. The malware author has also established a YouTube channel called “Forza Tools” to assist users with malware tutorial videos. The Telegram and YouTube channels indicate that the malware is being widely distributed as a paid malware service.
Legion Hacking Tool Attack Pattern
The initial access relies on misconfigured or unsecured web servers running content management systems and Hypertext Processor (PHP)-based frameworks that expose files that hold secrets, authentication tokens, or API keys. Legion then uses the compromised credentials to gain access to email services to establish administrator rights authorizing the rogue user to gain full access to all AWS services and resources. Once this state is achieved, the threat actor will initiate a phishing or spam email campaign. Furthermore, if the malware can generate a list of phone numbers with area codes from the compromised credentials, an SMS spam campaign will be initiated.
Recommendations to Protect your Organization from Legion
Legion is an all-purpose credential harvester and hacking tool gaining traction in the world of cybercrime. This malware increases the risk for poorly managed and misconfigured web servers to be targets of opportunity. It’s recommended that organizations review their existing security processes and ensure that secrets are appropriately stored. If companies store credentials in a .env file, they need to confirm that they are stored in outside web server directories that are inaccessible from the web.
The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.
References:
Stay Connected on Today’s Cyber Threat Landscape
RELATED RESOURCES
- Webinar
Critical Start Platform Updates
We are excited to announce the latest enhancements to Critical Start’s Cyber Operations Risk &... - Datasheet
Critical Start Asset Visibility
Critical Start Asset Visibility gives you a single source of truth for your asset inventory, uncover... - eBook
Enhancing MDR Outcomes Through Asset Visibility: A Strategic Guide
What You’ll Learn If you’re a cybersecurity professional tasked with improving detection, stream...
RESOURCE CATEGORIES
- Buyer's Guides(1)
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- Interview(51)
- MDR Services(77)
- MobileSOC(9)
- News(5)
- Press Release(96)
- Research Report(11)
- Security Assessments(4)
- Thought Leadership(20)
- Threat Hunting(3)
- Video(1)
- Vulnerability Disclosure(1)