Legion: Malware Circulates with Capabilities for Credential Theft and Email Compromise
Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Cado Security
A Python-based malware with capabilities to abuse AWS services, credential harvesting, remote code execution, and email hijacking is circulating in Telegram dubbed "Legion." Guides and walkthroughs for using Legion can be found on a YouTube channel “Forza Tools.” Cado Security researchers examined the malware identifying its credential harvesting component focused mainly on exploiting web servers that run Content Management Systems (CMS), as well as PHP or PHP-based frameworks like Laravel. Against those targeted servers, "the tool uses a number of RegEx patterns to extract credentials for various web services. These include credentials for email providers, cloud service providers (AWS), server management systems, databases, and payment systems – such as Stripe and PayPal," as observed by Cado. Legion is feature-rich with support with drop web shells, conduct brute-force attacks and bulk sends SMS to US mobile numbers.
The Legion malware is noted for its capability to obtain AWS credentials from compromised servers. "Not only does the malware claim to harvest these from target sites, but it also includes a function dedicated to brute-forcing AWS credentials – named aws_generator()." As found in the malware's Python script, Legion is capable of creating a new AWS user account named "ses_legion," adding it to a newly created IAM group, and attaching an administrator-level policy, akin to "AdministratorAccess'' to proceed with elevated privileges. "Consistent with the assumption that Legion is primarily concerned with cracking email services, the malware attempts to use the newly created AWS IAM user to query Amazon Simple Email Service (SES) quota limits and even send a test email," as noted by Cado Security. The emerging threat of Legion malware is especially worrisome given its extensive range of features, large following on Telegram, and the significant investment made by its creators to educate users on how to use the malware effectively. This combination of factors makes it highly likely that the malware will continue to be a serious threat to organizations and individuals who rely on AWS services and other web-based systems.
- New AWS User with Elevated Permissions Accesses SES
Anvilogic Use Cases:
- AWS CreateUser
- AWS Attach IAM user Role OR Policy
- AWS SES Modification