Threat Research: Legion Hacking Tool

What is the Legion Hacking Tool?

Legion, a new Python-based credential harvester and Simple Mail Transfer Protocol (SMTP) hijacking tool, has been developed to target online email services for phishing and spam campaigns, and is being advertised for sale on Telegram. The malware is primarily intended to scan for and parse Laravel application secrets from exposed user environment variables (.env) files. The tool targets many services for credential theft, including payment API functions, Amazon Web Services (AWS) console credentials – AWS SNS, S3 and SES specifically – Mailgun, and database/content management systems (CMS) platforms. The threat actor behind Legion listed the features as: performs SMTP server enumeration, remote code execution, exploit vulnerable Apache versions, brute-force cPanel and WebHost Manager accounts, interact with Shodan’s API, and abuse AWS services. Additionally, the malware can create administrator users, implant webshells, and send out spam SMS messages to customers in the United States. The carriers impacted by the malware include AT&T, Sprint, US Cellular, T-Mobile, Cricket, Verizon, Virgin, SunCom, Alltel, Cingular, and VoiceStream among others.

Legion Hacking Tool Background

Little is currently known about Legion malware, but it is assessed that the threat actor that developed it is mimicking and improving upon features offered by AndroxGh0st and Alienfox. Legion relies on opensource tools to find vulnerabilities with configurations or initial phishing and spam campaigns as an initial access point. Legion also offers configuration capabilities to the user that allow the integration of Twilio and Shodan services. Twilio provides programmable communication tools for phone calls and SMS messaging through web service APIs. While Shodan allows users to search servers connected to the internet, in which it scraps those servers’ metadata and sends the information to the user.

The improved features of Legion have attracted a large number of followers with the Telegram channel showing over 1,000 members. The malware author has also established a YouTube channel called “Forza Tools” to assist users with malware tutorial videos. The Telegram and YouTube channels indicate that the malware is being widely distributed as a paid malware service.

Legion Hacking Tool Attack Pattern

The initial access relies on misconfigured or unsecured web servers running content management systems and Hypertext Processor (PHP)-based frameworks that expose files that hold secrets, authentication tokens, or API keys. Legion then uses the compromised credentials to gain access to email services to establish administrator rights authorizing the rogue user to gain full access to all AWS services and resources. Once this state is achieved, the threat actor will initiate a phishing or spam email campaign. Furthermore, if the malware can generate a list of phone numbers with area codes from the compromised credentials, an SMS spam campaign will be initiated.

Recommendations to Protect your Organization from Legion

Legion is an all-purpose credential harvester and hacking tool gaining traction in the world of cybercrime. This malware increases the risk for poorly managed and misconfigured web servers to be targets of opportunity. It’s recommended that organizations review their existing security processes and ensure that secrets are appropriately stored. If companies store credentials in a .env file, they need to confirm that they are stored in outside web server directories that are inaccessible from the web.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

References: