AlienFox Malware Targets API Keys and Secrets from AWS, Google, and Microsoft Cloud Services


AlienFox, a complete collection of tools, is currently being shared on Telegram with the aim of enabling cybercriminals to obtain access to important information such as API keys and secret login information from widely used cloud service providers.

According to a report shared with The Hacker News by security researcher Alex Delamotte from SentinelOne, the increase in the use of AlienFox suggests a new pattern of targeting less complex cloud services that are not suitable for cryptocurrency mining. This is done to facilitate and expand future attacks.

The cyber security firm defined the harmful software as extremely adaptable and continuously changing in order to integrate new attributes and improvements in performance.

The main purpose of AlienFox is to identify incorrectly configured hosts by using scanning tools such as LeakIX and SecurityTrails. This is followed by using different scripts from the toolkit to retrieve login details from configuration files that are exposed on these servers.

To be more precise, the process involves looking for vulnerable servers connected with well-known web frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop and WordPress.

Newer versions of the tool now have the capability to achieve ongoing presence on an Amazon Web Services (AWS) account and increase authority, as well as carry out automated spam campaigns using the compromised accounts.

AlienFox has been reported to launch random attacks that have the ability to collect delicate information about AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra and Zoho.

Lacework and Permiso p0 Labs have previously documented two scripts, namely AndroxGh0st and GreenBot.

Androxgh0st is meant to analyze a configuration file for particular variables and retrieve their values to facilitate subsequent misuse. On the other hand, GreenBot (also known as Maintance) features an AWS persistence script that generates a fresh administrator account and removes the hacked authentic account.

Maintenance also includes conducting license verifications to ensure that the script is being sold as a business tool, and the capacity to conduct web server reconnaissance.

SentinelOne reported that it has found three distinct versions of the malware (ranging from v2 to v4) that date back to February 2022. An important feature of AlienFoxV4 is its capacity to verify whether an email address has already been associated with a retail account on, and, if not, create a new account using that same email address.

In order to lessen the risks that AlienFox organizations present, it is advised that companies abide by optimal methods for configuration management and adhere to the PoLP ideology.

According to Delamotte, the AlienFox toolset denotes a new phase in the development of cloud-based cybercrime. If targeted, individuals may encounter extra expenses for services, a decrease in customer confidence, and expenses for remedying Any damage caused by the infiltration.

Post a Comment

Previous Post Next Post