Security researchers have discovered upgrades to an emerging cloud-focused hack tool called “Legion” that harvests credentials from misconfigured web servers and uses them to hijack emails.

In April Cado researchers detailed Legion’s ability to breach vulnerable SMTP servers in order to harvest credentials and abuse emails. They observed the commodity malware exploiting web servers running content management systems (CMS), leveraging Telegram as a data exfiltration point, and sending spam SMS messages to a list of dynamically generated U.S. mobile numbers through the stolen SMTP credentials.

Now, upgrades observed in the wild include expanded features to harvest credentials from:

  • SSH servers
  • Amazon Web Services (AWS)
  • Amazon DynamoDB
  • Amazon CloudWatch

Impact

Legion is distributed and marketed in various public groups and channels within the Telegram instant messaging service. The threat exploits vulnerabilities on all web servers, and the additional functionality particularly impacts cloud security.

DXC perspective

To mitigate against Legion malware attacks, we recommend the following practices:

  • Store credentials in an .env file outside of web server directories to prevent unauthorized access.
  • Monitor networks and endpoints for C2 traffic and abnormal user behavior.
  • Install and regularly update antivirus software on all hosts and enable real-time detection. 
  • Install updates/patch operating systems, software and firmware as soon as updates/patches are released. 

We also recommend establishing a secure infrastructure and robust cyber defense program  to protect from ransomware attacks of all kinds.

Threat hunting tips

IOCs

The malware creates an IAM user and sets the tag “Owner” to the value “ms.boharas”. This is a strong malware indicator of compromise and can be used for detection engineering and investigations.

Other IOCs include:

Filename: SHA256

og.py: 6f059c2abf8517af136503ed921015c0cd8859398ece7d0174ea5bf1e06c9ada

User agents:

  • Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
  • Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
  • Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
  • Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
  • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36