Open in app

Sign in

Write

Sign in

AlienFox — A Hacking Toolkit That Steals Credential From Multiple Cloud Services 18

Binesh Madharapu
5 min readApr 3, 2023

--

By Binesh madharapu

A new “comprehensive toolset” called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers.

The toolkit is sold to cybercriminals via a private Telegram channel, which has become a typical funnel for transactions among malware authors and hackers.

It’s a modular set of tools that enables malicious actors to scan for poorly configured servers, potentially leading to the theft of cloud-based email service credentials and authentication secrets.

In a March 30 blog post, SentinelLabs said the threat actor uses AlienFox to harvest API keys and secrets from many major cloud service providers, including AWS Simple Email Service, Google Workspace, Microsoft Office 365, Twilio, Zimbra, and Zoho.

Researchers at SentinelLabs who analyzed AlienFox report that the toolset targets common misconfigurations in popular services like online hosting frameworks, such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.

SentinelLabs has identified a new toolkit dubbed AlienFox that attackers are using to compromise email and web hosting services. AlienFox is highly modular and evolves regularly.

The analysts have identified three versions of AlienFox, indicating that the author of the toolkit is actively developing and improving the malicious tool.

SentinelLabs identified AlienFox versions 2 through 4, from February 2022 onward. Several scripts SentinelLabs analyzed were summarized by other researchers as malware families Androxgh0st (Lacework) and GreenBot (Permiso). As the researchers from the other organizations noted, the scripts are also readily available in open sources, including GitHub, which lends to constant adaptation and variation in the wild.

We identified the following Telegram URLs. embedded in Alienfox files. followed by the number of scripts each channel was founded as “Frequency”

Cloud-based Email Platforms Targeted

  • 1and1
  • AWS
  • Blue mail
  • Exotel
  • Google Workspace
  • Mailgun
  • Mandrill
  • Nexmo
  • Office365
  • OneSignal
  • Plivo
  • Sendgrid
  • Sendinblue
  • Sparkpostmail
  • Tokbox
  • Twilio
  • Zimbra
  • Zoho

Identified versions of AlienFox

All the versions of AlienFox that the security analysts identify:-

  • AlienFox V2
  • AlienFox V3.x
  • AlienFoxV4

The discovery of three different versions of AlienFox suggests that the toolkit’s creator is currently engaged in actively developing and improving the malicious toolkit. While this finding comes from the analysis conducted by cybersecurity experts at SentinelOne security.

AlienFox V2

The oldest of the known AlienFox toolsets, Version 2 focuses primarily on extracting credentials from web server configuration or environment files. The archive we analyzed contains output from when an actor ran the tools, which included AWS access & secret keys. In this version of the AlienFox toolset, the core utility is housed in a script named s3lr.py, which is similar to env.py outlined in later versions.

Version 2 contains awses.py, a script that uses the AWS SDK Boto3 Python client to automate activities related to AWS Simple Email Service (SES), including sending & receiving messages and applying an elevated privilege persistence profile to the AWS account.

This script also contains encoded commands that potentially target CVE-2022–31279, a rejected Laravel PHP Framework deserialization vulnerability.

AlienFox V3.x

Of the three known major versions of AlienFox, we identified the most unique archives labeled as Version 3. We observed the following name variations and respective file creation dates:

  • ALIEN-FOX AFV 3.0 Izmir — February 2022
  • ALIENFOX III V3.0 AFV.EXE — February 2022
  • ALIEN-FOX AFV 3.5 JAGAUR — April 2022
  • ALIEN-FOX AFV 3.5 rondrickmadeit — February 2022

Version 3.x contained the first observed version of the script Lar.py, which automates extraction of keys and secrets from compromised Laravel .env files and logs the results to a text file along with the targeted server details. Lar.py was uploaded to VirusTotal along with the script’s output, providing us a glimpse into its utility to threat actors.

AlienFox steals credentials & secrets

There are a number of custom tools in AlienFox that were developed by different authors and utilize a variety of modified open-source utilities.

Using security scanning platforms, malicious actors employ AlienFox to obtain inventories of poorly configured cloud endpoints from sources including:-

  • LeakIX
  • SecurityTrails

Secondly, AlienFox retrieves sensitive configuration files that generally store sensitive data from misconfigured servers using data-extraction scripts, including:-

  • API keys
  • Account credentials
  • Authentication tokens

In addition to its primary function, the toolkit features independent scripts that can enable the tool to establish persistence and elevate privileges on servers with identified vulnerabilities.

With the release of AlienFox v3, the toolkit can now automatically extract keys and secrets from Laravel environments. In addition, harvested data now includes tags that specify the acquisition method.

AlienFoxV4

The most recent of the known toolsets, this set is organized much differently, with each tool assigned a numerical identifier (e.g., Tool1, Tool2). There is a core script in the AlienFox root directory named ALIENFOXV4.py that serves as a bootstrap for the numbered tool scripts in the child folders.

“There are massive amounts of sensitive data in these cloud-based email and messaging systems that are now at severe risk of exposure,” Benjamins said. “Considering how widely platforms like AWS, Google Workspace, Office365, and Zoho are used — even if the targeting is opportunistic — the potential for widespread business risk is substantial. The whole supply chain can be put at risk. The realities of this threat cannot be ignored, especially as toolkits evolve in the wild.”

Additionally, implementing MFA (multi-factor authentication) and monitoring for any unusual or suspicious activity on accounts can help stop intrusions early.

Here below, we have mentioned all the recommendations offered by the security researchers that will help the defenders to counter this evolving threat:-

  • The administrators must ensure that the access control settings of their servers are set accordingly.
  • Ensure that the file permissions on their server are set properly.
  • Remove any unnecessary services that are running on your server.
  • Make sure to enable multi-factor authentication.
  • Ensure that any activity on your accounts that seems unusual or suspicious is closely monitored.
Cybersecurity
Followers
Cyberattack
Email
Cloud

--

--

Binesh Madharapu
Binesh Madharapu

Written by Binesh Madharapu

11 Followers
10 Following

cyber enthusiast, Ethical hacker

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams