On April 13, 2023, Cado Labs researchers reported the technical details of a new malware they dubbed “Legion.”
Context
According to the report, Legion is written in Python and includes credential harvesting and SMTP hijacking capabilities. Researchers reported that the tool is currently being sold on Telegram.
Technical Details
According to researchers, key features of Legion include modules dedicated to:
- enumerating vulnerable SMTP servers,
- conducting Remote Code Execution (RCE),
- exploiting vulnerable versions of Apache,
- brute-forcing cPanel and WebHost Manager (WHM) accounts,
- interacting with Shodan’s API to retrieve a target list (providing you supply an API key) and
- additional utilities, many of which involve abusing AWS services
Cado Labs researchers also assessed that Legion is related to a previously reported malware named AndroxGh0st.
Researchers also noted that as of their reporting time, no detections were available in VirusTotal for Legion. However, there are currently multiple detections for both files analyzed in the report, legion[.]py (VT Detections here) and legion[.]py (variant) (VT detections here).
IOCs
Cado Labs researchers provided the following indicators of compromise (IOCs):
|
Indicator |
Type |
Notes |
|
fcd95a68cd8db0199e2dd7d1ecc4b76265 |
SHA256 |
legion.py |
|
42109b61cfe2e1423b6f78c093c3411989 |
SHA256 |
legion.py (variant) |
