Legion is a new Python-based tool being sold on Telegram by cybercriminals that targets online email services for phishing and spam attacks.

According to a reserch from cybersecurity firm Cado, Legion is a modular malware likely based on the AndroxGhOst malware, with various modules to perform SMTP server enumeration, remote code execution, exploit vulnerable Apache versions, brute-force cPanel and WebHost Manager accounts, interact with Shodan’s API, and abuse AWS services.

Legion targets many services for credential theft and can create administrator users, implant webshells, and send out spam SMS to customers of U.S. carriers.

The tool uses an array of methods to retrieve credentials from misconfigured web servers, and it exploits known PHP vulnerabilities to register a webshell on the targeted endpoint or perform remote code execution to give the attacker full access to the server.

Indicators of Compromise