AlienFox Malware Toolset -SwissArmy Knife

Researchers have spotted a new cloud service provider credential harvester tool set shared in wild through Telegram.

The toolset called as Alien Fox is described as a cloud spammer Swiss Army knife that has an ability to attack multiple services in numerous ways. The toolset is used to harvest application programming interface keys and secrets from services, including Amazon Simple Email Service and Microsoft Office 365.

AlienFox involves the distribution of source code archives. Though primarily distributed on Telegram, some of the modules are also available on GitHub. Most of the tools offered as part of AlienFox are open source, meaning that they can also be modified to suit the specific needs of attackers.

Modus of Operandi

Using AlienFox starts with attackers using the toolset to collect lists of misconfigured hosts from security scanning platforms such as LeakIX and SecurityTrails.
Once after obtaining the information, multiple scripts in the toolset are then used to extract sensitive information, such as API keys and secrets from configuration files exposed on victims’ web servers.

Later versions of AlienFox are said to establish AWS account persistence and privilege escalation. The toolkit can also collect send quotas and automate spam campaigns through victim accounts or services.

The spread of AlienFox represents an unreported trend toward attacking more minimal cloud services, unsuitable for crypto mining, to enable and expand subsequent campaigns.

The emergence of toolkits like AlienFox underscores the increasing sophistication of attacker networks and their collective ability to cause harm and disruption. The trend is concerning where the attackers behind AlienFox are adapting the tool to be effective across more targets, particularly those in use widely across enterprises.

To defend against AlienFox tools, organizations should use configuration management best practices and adhere to the principle of least privilege. Consider using a Cloud Workload Protection Platform (CWPP) on virtual machines and containers to detect interactive activity with the OS.

The AlienFox toolset demonstrates another stage in the evolution of cybercrime in the cloud. Cloud services have well-documented, powerful APIs, enabling developers of all skill levels to readily write tooling for the service. The toolset has gradually improved through improved coding practices as well as the addition of new modules and capabilities.

This research was documented by researchers from SentinelOne

Indicators of Compromise