Legion is a new Python-based tool being sold on Telegram by cybercriminals that targets online email services for phishing and spam attacks.

According to a reserch from cybersecurity firm Cado, Legion is a modular malware likely based on the AndroxGhOst malware, with various modules to perform SMTP server enumeration, remote code execution, exploit vulnerable Apache versions, brute-force cPanel and WebHost Manager accounts, interact with Shodan’s API, and abuse AWS services.

Legion targets many services for credential theft and can create administrator users, implant webshells, and send out spam SMS to customers of U.S. carriers.

The tool uses an array of methods to retrieve credentials from misconfigured web servers, and it exploits known PHP vulnerabilities to register a webshell on the targeted endpoint or perform remote code execution to give the attacker full access to the server.

Indicators of Compromise

 
SHA256
fcd95a68cd8db0199e2dd7d1ecc4b7626532681b41654519463366e27f54e65a
42109b61cfe2e1423b6f78c093c3411989838085d7e6a5f319c6e77b3cc462f3