Legion Malware Upgraded to Target SSH Servers and AWS Credentials

Legion malware

An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.

“This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications,” Cado Labs researcher Matt Muir said in a report shared with The Hacker News.

“It’s clear that the developer’s targeting of cloud services is advancing with each iteration.”

Legion, a Python-based hack tool, was first documented last month by the cloud security firm, detailing its ability to breach vulnerable SMTP servers in order to harvest credentials.

It’s also known to exploit web servers running content management systems (CMS), leverage Telegram as a data exfiltration point, and send spam SMS messages to a list of dynamically-generated U.S. mobile numbers by making use of the stolen SMTP credentials.

A notable addition to Legion is its ability to exploit SSH servers using the Paramiko module. It also includes features to retrieve additional AWS-specific credentials related to DynamoDB, CloudWatch, and AWS Owl from Laravel web applications.

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Another change relates to the inclusion of additional paths to enumerate for the existence of .env files such as /cron/.env, /lib/.env, /sitemaps/.env, /tools/.env, /uploads/.env, and /web/.env among others.

“Misconfigurations in web applications are still the primary method used by Legion to retrieve credentials,” Muir said.

“Therefore, it’s recommended that developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files.”

Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

 To keep up to date follow us on the below channels.