New Python-Based Malware “Legion” Includes AWS Credential Harvesting and SMTP Hijacking Capabilities

Researchers disclose technical details of new python-based malware, “Legion.”

On April 13, 2023, Cado Labs researchers reported the technical details of a new malware they dubbed “Legion.”

Context

According to the report, Legion is written in Python and includes credential harvesting and SMTP hijacking capabilities. Researchers reported that the tool is currently being sold on Telegram.

Technical Details

According to researchers, key features of Legion include modules dedicated to:

  • enumerating vulnerable SMTP servers,
  • conducting Remote Code Execution (RCE),
  • exploiting vulnerable versions of Apache,
  • brute-forcing cPanel and WebHost Manager (WHM) accounts,
  • interacting with Shodan’s API to retrieve a target list (providing you supply an API key) and
  • additional utilities, many of which involve abusing AWS services

Cado Labs researchers also assessed that Legion is related to a previously reported malware named AndroxGh0st.

Researchers also noted that as of their reporting time, no detections were available in VirusTotal for Legion.  However, there are currently multiple detections for both files analyzed in the report, legion[.]py (VT Detections here) and legion[.]py (variant) (VT detections here).

IOCs

Cado Labs researchers provided the following indicators of compromise (IOCs):

Indicator

Type

Notes

fcd95a68cd8db0199e2dd7d1ecc4b76265
32681b41654519463366e27f54e65a

SHA256

legion.py

42109b61cfe2e1423b6f78c093c3411989
838085d7e6a5f319c6e77b3cc462f3

SHA256

legion.py (variant)

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.