{"id":14289,"date":"2023-04-19T09:37:11","date_gmt":"2023-04-19T09:37:11","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=14289"},"modified":"2023-04-19T09:53:26","modified_gmt":"2023-04-19T09:53:26","slug":"legion-hacker-tool","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/legion-hacker-tool\/","title":{"rendered":"Legion Hacker Tool Used to Steal Data from Poorly Protected Websites"},"content":{"rendered":"

Experts have discovered a Python-based Legion hacking tool that is sold via Telegram and is used as a way to hack into various online services for further exploitation.<\/p>\n

Let me remind you that we also wrote that Microsoft<\/strong> Told How To Detect The Installation Of The BlackLotus<\/strong> UEFI Bootkit<\/a>, and also that Experts discovered ESPecter<\/strong> UEFI bootkit used for espionage<\/a>.<\/p>\n

Attacks with Legion Hacker Tool<\/h2>\n

According to Cado Labs<\/strong> researchers, the Legion<\/strong> malware has modules for enumerating vulnerable SMTP servers, conducting remote code execution (RCE<\/strong>) attacks, exploiting unpatched versions of Apache, brute force cPanel and WebHost Manager (WHM<\/strong>) accounts, as well as interacting with the Shodan<\/strong> API and abusing AWS<\/strong> services.<\/p>\n

The researchers say the malware shares similarities with another malware family, AndroxGh0st<\/strong>, which was first discovered by cloud security provider Lacework<\/strong> in December 2022<\/a>.<\/p>\n

Last month, SentinelOne<\/strong> published an analysis of AndroxGh0st, which showed that the malware is part of the AlienFox<\/strong> toolkit<\/a>, which is offered to criminals to steal API keys and secrets from cloud services.<\/p>\n

Legion appears to be part of a new generation of cloud credential harvesting and spam utilities. The developers of these tools often steal code from each other, making attribution difficult.experts<\/a><\/span><\/div><\/div>\n

In addition to using Telegram<\/strong> to extract data, Legion is designed to hack web servers with CMS, PHP, or PHP-based frameworks such as Laravel<\/strong>.<\/p>\n

It is capable of obtaining credentials for a wide range of web services such as email providers, cloud providers, server management systems, databases, and payment platforms, including Stripe<\/strong> and PayPal<\/strong>.Cado Labs' report.<\/span><\/div><\/div>\n

Other targeted services include SendGrid<\/strong>, Twilio<\/strong>, Nexmo<\/strong>, AWS<\/strong>, Mailgun<\/strong>, Plivo<\/strong>, ClickSend<\/strong>, Mandrill<\/strong>, Mailjet<\/strong>, MessageBird<\/strong>, Vonage<\/strong>, Exotel<\/strong>, OneSignal<\/strong>, Clickatell<\/strong>, and TokBox<\/strong>.<\/p>\n

\"Legion
Services being attacked by Legion<\/figcaption><\/figure>\n

In addition, Legion extracts AWS credentials from insecure or misconfigured web servers and sends spam SMS to users of US operators, including AT&T<\/strong>, Sprint<\/strong>, T-Mobile<\/strong>, Verizon<\/strong>, and Virgin<\/strong>.<\/p>\n

What’s the matter?<\/h2>\n

The main goal of the malware is to use the infrastructure of hijacked services for subsequent attacks, including bulk spam mailings and opportunistic phishing campaigns.<\/p>\n

The researchers also discovered a YouTube<\/strong> channel (created June 15, 2021) containing tutorial videos on Legion. Experts conclude that “the tool is widespread and most likely is paid malware.”<\/p>\n

\"Legion
“Educational videos” published by the hacker<\/figcaption><\/figure>\n

The location of the creator of this tool, who uses the Telegram nickname forzatools<\/strong>, remains unknown, although the presence of comments in Indonesian in the code indicates that the developer may be Indonesian or located in that country.<\/p>\n","protected":false},"excerpt":{"rendered":"

Experts have discovered a Python-based Legion hacking tool that is sold via Telegram and is used as a way to hack into various online services for further exploitation. Let me remind you that we also wrote that Microsoft Told How To Detect The Installation Of The BlackLotus UEFI Bootkit, and also that Experts discovered ESPecter […]<\/p>\n","protected":false},"author":3,"featured_media":14293,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[29,271],"class_list":{"0":"post-14289","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-hackers","9":"tag-telegram"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2023\/04\/Legion-hacker-tool.webp","author_info":{"display_name":"Vladimir Krasnogolovy","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/krasnogolovy\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/14289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=14289"}],"version-history":[{"count":5,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/14289\/revisions"}],"predecessor-version":[{"id":14297,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/14289\/revisions\/14297"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/14293"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=14289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=14289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=14289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}