Legion, a Python-based hacking tool that is offered through Telegram and is utilized to break into multiple internet platforms for further misuse, was uncovered by experts.
Specialists from Cado Labs discovered that Legion contains modules for exploiting unpatched Apache versions, scanning unprotected SMTP networks, launching remote code execution attacks, brute-forcing cPanel and WHM accounts, and interfacing with Shodan API and AWS services.
What’s Inside the Malware
The tool is very similar to AndroxGh0st, another malware family, and is part of a new generation of cloud-based credential harvesting and spamming tools. It targets web servers that use CMS, PHP, or PHP-based frameworks like Laravel and extracts stolen data through Telegram. Developers of such tools often plagiarize each other’s code, making it hard to attribute the malware’s origin.
Legion, based on Cado Labs’ report, can gather login credentials for different online services such as email, cloud platforms, databases, and payment gateways like PayPal and Stripe. It targets numerous services, including SendGrid, Twilio, Nexmo, AWS, and Mailgun.
The software exploits insecure web servers to obtain AWS login details and sends spam SMS messages to users of major US mobile carriers such as AT&T, Sprint, T-Mobile, Verizon, and Virgin.
The Goal of the Hacker’s Tool
Malware’s primary objective is to exploit compromised service infrastructure for further attacks, such as massive spam campaigns and opportunistic phishing efforts.
Moreover, investigators have uncovered a YouTube channel established on June 15, 2021, that features instructional videos about Legion.
Experts infer that “the software is extensively distributed and is presumably a paid malicious software.” The whereabouts of the tool’s creator, who goes by the moniker forzatools on Telegram, remain undisclosed, although the existence of remarks in Indonesian language within the code implies that the developer could be an Indonesian or situated in that nation.