The new Python-based Legion malware is being linked to a potential Indonesian developer.
Cloud forensics and incident response platform startup, Cado Security Ltd., has revealed details of a new credential harvester and hacking tool called “Legion.”
According to researchers, Legion is being sold on Telegram and is designed to exploit various services for email abuse. The tool is believed to be linked to the AndroxGh0st malware family which was first reported in December 2022.
The use of Telegram for selling Legion malware should not come as a surprise, as the popular messaging platform has often been associated with illegal activities. In fact, just last week, it was reported that threat actors are leveraging Telegram to automate phishing attacks, highlighting the platform’s role in facilitating cybercriminal activities.
Legion specifically targets web servers running content management systems, PHP or PHP-based frameworks. It has the ability to retrieve credentials for a wide range of web services, including email providers, cloud service providers, server management systems, databases, and payment platforms like Stripe Inc. and PayPal Holdings Inc. Additionally, Legion can hijack SMS messages and compromise Amazon Web Services Inc. credentials.
One notable feature of Legion is its availability of modules that can enumerate vulnerable SMTP servers, conduct remote code execution, exploit vulnerable versions of Apache, and brute-force cPanel and WebHost Manager accounts.
It also interacts with the Shodan Search Engine‘s API to retrieve a target list and has modules focused on abusing AWS services. Researchers have also highlighted Legion’s ability to send SMS spam messages to mobile network users in the United States across all carriers, which sets it apart from other similar tools.
Legion is being sold on various Telegram channels and is being promoted on YouTube through tutorial videos, suggesting that it is widely distributed and likely paid malware.
While the origin of the malware is not confirmed, comments found in Bahasa Indonesia suggest that the developer may be Indonesian or based in Indonesia. A GitHub Gist link leads to a user named “Galeh Rizky” with a profile indicating residence in Indonesia.
As a precaution, Cado Security researchers recommend in their report that users of web server technologies and frameworks like Laravel review their existing security processes and ensure that credentials are appropriately stored.
Ideally, sensitive information such as credentials should be stored in a .env file outside of web server directories to prevent unauthorized access.
The discovery of Legion highlights the ongoing threat of credential harvesting and hacking tools in the cybersecurity landscape. It serves as a reminder for organizations to prioritize robust security measures and stay vigilant against evolving cyber threats.
On the other hand, the trend of using Telegram as a platform for buying and selling malware is concerning, as it provides a convenient and anonymous means for cybercriminals to conduct illicit activities.