New Python Based “Legion” Hacking Tool Appears on Telegram

An emerging Python-based credential harvester and hacking tool named Troops is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.

Legion, according Chado Laboratoryincludes modules for enumerating vulnerable SMTP servers, performing remote code execution (RCE) attacks, exploiting unpatched Apache versions, and cPanel and WebHost Manager (WHM) brute-force accounts.

The malware is allegedly related to another malware family called AndroxGh0st earlier documented beforehand by security service provider cloudLacework in December 2022.

Cybersecurity firm SentinelOne, in an analysis published late last month, revealed that AndroxGh0st is part of a comprehensive toolkit called AlienFox that is offered to threat actors to steal API keys and secrets from cloud services.

“Legion appears to be part of a generation of cloud-focused credential harvesters/spam,” security researcher Matt Muir told The Hacker News. “Developers of these tools frequently steal code from each other, making attribution to specific groups difficult.”

As well as using Telegram as a data exfiltration point, Legion is designed to exploit web servers running content management systems (CMS), PHP, or PHP-based frameworks such as Laravel.

“It can retrieve credentials for various web services, such as email providers, cloud service providers, server management systems, databases, and payment platforms such as Stripe and PayPal,” said Cado Labs.

Some of the other target services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.

The main goal of malware is to enable threat actors to hijack services and arm infrastructure for follow-up attacks, including installing opportunistic phishing campaigns.

The main purpose of this malware is to enable threat actors to hijack services and arm the infrastructure for follow-up attacks, including mass spam installations and opportunistic phishing campaigns.

The cybersecurity firm said it also found a YouTube channel containing video tutorials on how to use Legion, indicating that “the tool is widely distributed and is likely paid malware.” This YouTube channel, which was created on June 15, 2021, remains active as of the time of this writing.

Additionally, Legion retrieves AWS credentials from insecure or misconfigured web servers and sends SMS spam messages to users of US mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin.

“To do this, the malware retrieves the area code for the user-selected US state from the website www.randomphonenumbers.com,” said security researcher Matt Muir. “The base number generator function is then used to generate a list of phone numbers to target.”

Additionally, Legion can retrieve AWS credentials from insecure or misconfigured web servers and send SMS spam messages to users of US mobile networks such as AT&T, Sprint, T-Mobile, Verizon, and Virgin by leveraging stolen SMTP credentials.

“To do this, the malware retrieves the area code for the user-selected US state from the website www.randomphonenumbers(.)com,” said Muir. “The base number generator function is then used to generate a list of phone numbers to target.”

Another important aspect of Legion is its ability to exploit a well-known PHP vulnerability to register a web shell for persistent remote access or execute malicious code.

The origins of the threat actor behind the tool, which uses the alias “forzatools” on Telegram, are still unknown, although an Indonesian commentary on the source code suggests the developer may be Indonesian or based in the country.

“Because this malware relies heavily on misconfiguration in web server technologies and frameworks such as Laravel, it is recommended that users of these technologies review existing security processes and ensure that secrets are kept appropriately,” said Muir.