Laravel Security: "Androxgh0st" Malware Targeting Laravel apps?
[Notice #2] What is this malware targeting Laravel, and should you be concerned about your apps?
TL;DR → You’re only vulnerable if your .env
file is web-accessible or you have debug-mode enabled, and the RCE relies on an outdated version of Laravel.
A bunch of news articles have popped up over the past couple of days talking about the new “Androxgh0st” malware that has been specifically targeting Laravel apps1. To avoid folks getting the wrong idea that “Laravel is insecure”, or that all Laravel apps are being targeted, I wanted to send out a special Laravel Security Notice to explain exactly what’s going on with this malware and what conditions need to be met for it to compromise your site.
The Vulnerability
On 16th January 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory titled “Known Indicators of Compromise Associated with Androxgh0st Malware”. Check out the advisory if you’re interested in the full details, but here’s the summary of the attack:
The malware scans for Laravel apps on the internet.
After finding a Laravel app, it checks for exposed
`.env`
files to steal the credentials and API keys.It may also send a
`POST`
request with the variable`0x[]`
to trigger an error, looking for sites with debug mode enabled, which can also expose credentials and API keys.If it’s successful in accessing the application key, it’ll attempt to exploit a known Remote Code Execution (RCE) vulnerability in Laravel v52 with the
`X-XSRF-TOKEN`
cookie.
The primary target is to steal app credentials and API keys, which would allow the attackers to gain access to any third party services your app uses, with a secondary bonus of getting RCE to execute malicious code - typically to run a shell and build the botnet.
Is Your App Vulnerable?
To be vulnerable to this malware attack, your app needs to have either:
- Exposed
.env
File
The only way this is possible is if Laravel has been incorrectly installed entirely within a web-accessible directory (usually a subdirectory), so all of the files, including.env
are web-accessible - rather than just thepublic/
directory, as is the intended default. - Debug Mode Enabled
i.e. `APP_DEBUG=true`
in your.env
file.
At this point, your app is compromised and your credentials/API keys have been stolen.
The malware then attempts to exploit a known RCE vulnerability to gain remote access/shell to the server for further compromise. They’ve recorded it as using a v5 RCE, however any other RCE or weakness in older versions of Laravel could be exploited effectively here too.
Therefore, your app is not vulnerable if:
.env
isn’t accessible.- Debug Mode is disabled.
- Laravel kept updated to v9 or v10.
From what I’ve seen, the majority of Laravel apps are not vulnerable, especially any that are actively maintained. This would primarily affect old and abandoned apps, which were never properly installed or managed.
Preventing The Vulnerability
There are a few steps you should take to ensure your Laravel apps are safe:
- Protect Your .env File
Ensure your.env
file is outside the web-accessible directory, or if you can’t do that, configure Nginx/Apache to block access to dot files (.*
).
Disable Debug Mode on World-Accessible Apps
Ensure you keep debug mode off on world-accessible apps - which includes staging and testing sites. Debug mode leaks all sorts of sensitive information, and triggering errors is fairly easy.
- Keep Laravel Updated
Ensure you keep up with Laravel releases and are always using a supported version. As of writing, that is v10 for bug fixes, and v9 for security fixes. Anything older should be considered insecure and a risk.
If you do these three things, then your app is safe from this malware. They are also pretty standard checklist items, but as we’ve seen by this malware targeting Laravel, a reminder is always a good idea!
https://therecord.media/malware-hackers-creating-botnet-cisa-fbi
https://securityboulevard.com/2024/01/androxgh0st-malware-safebreach-coverage-for-us-cert-alert-aa24-016a/
https://securityboulevard.com/2024/01/hackers-building-androxgh0st-botnet-to-target-aws-o365-feds-warn/
https://www.scmagazine.com/news/botnet-fuels-androxgh0st-malwares-punch
https://www.csoonline.com/article/1291495/fbi-warns-against-cloud-credential-stealing-androxgh0st-botnet.html
https://www.darkreading.com/cloud-security/cisa-aws-microsoft-365-accounts-androxgh0st-attack ↩