Legion Malware Enhanced to Target SSH Servers and AWS Credentials

May 24, 2023Ravie LakshmananServer/Malware Security

The latest version of commodity malware called Legion comes with extended features for compromising SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.

“This latest update demonstrates an expanded scope, with new capabilities such as the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications,” Cado Labs researcher Matt Muir said in a report shared with The Hacker News.

“It’s clear that the developer targeting of cloud services is advancing with each iteration.”

Legion, a Python-based hacking tool, was first documented last month by a cloud security firm, detailing its ability to penetrate vulnerable SMTP servers to obtain credentials.

It was also known to exploit web servers running content management systems (CMS), utilize Telegram as a data exfiltration point, and send spam SMS messages to a dynamically generated list of US mobile numbers by leveraging stolen SMTP credentials.

An important addition to Legion is the ability to exploit SSH servers using paramiko module. It also includes a feature to retrieve additional AWS-specific credentials associated with DynamoDB, CloudWatch, and AWS Owl from the Laravel web application.

Another change relates to the inclusion of additional paths to count the presence of .env files such as /cron/.env, /lib/.env, /sitemaps/.env, /tools/.env, /uploads/.env, and /web/.env among others.

“Configuration errors in web applications are still the primary method Legion uses to retrieve credentials,” said Muir.

“Therefore, it is recommended that web application developers and administrators regularly review access to resources within the application itself, and seek alternatives to storing secrets in environment files.”