News
SentinelLabs: Dissecting AlienFox - The cloud spammer’s Swiss army knife
March 2023 by SentinelLabs
SentinelLabs analysed several iterations of “AlienFox,” a new toolset identified to target credentials for multiple cloud email services. AlienFox is highly modular and evolves regularly. Most of the tools are open-source, meaning that actors can readily adapt and modify to suit their needs. Many developers take credit on different iterations of the tools, and the evolution of recurring features suggests the developers are becoming increasingly sophisticated, with performance considerations at the forefront in more recent versions.
Actors use AlienFox to collect lists of misconfigured hosts from security scanning platforms, including LeakIX and SecurityTrails. They use multiple scripts in the toolset to extract sensitive information such as API keys and secrets from configuration files exposed on victims’ web servers.
Later versions of the toolset added scripts that automate malicious actions using the stolen credentials, including:
• Establishing Amazon Web Services (AWS) account persistence and privilege escalation
• Collecting send quotas and automating spam campaigns through victim accounts or services
More details of AlienFox distribution and targeting, along with a detailed analysis of the entire toolset and a comprehensive list of Indicators of Compromise, can be found in SentinelLabs’ full report.
Key points
• SentinelLabs analysed several iterations of “AlienFox,” a comprehensive toolset for harvesting credentials for multiple cloud service providers.
• Attackers use AlienFox to harvest API keys & secrets from popular services including AWS SES & Microsoft Office 365.
• AlienFox is a modular toolset primarily distributed on Telegram in the form of source code archives. Some modules are available on GitHub for any would-be attacker to adopt.
• The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for cryptomining, in order to enable and expand subsequent campaigns.
• Along with SentinelLabs’ thorough analysis of different AlienFox iterations, a full list of indicators of compromise, YARA rules, and recommendations is available in the full report.
Conclusion
The AlienFox toolset demonstrates another stage in the evolution of cybercrime in the cloud. Cloud services have well-documented, powerful APIs, enabling developers of all skill levels to readily write tooling for the service.
The toolset has gradually improved through improved coding practices as well as the addition of new modules and capabilities.
Opportunistic cloud attacks are no longer confined to cryptomining: AlienFox tools facilitate attacks on minimal services that lack the resources needed for mining. By analysing the tools and tool output, SentinelLabs found that actors use AlienFox to identify and collect service credentials from misconfigured or exposed services. For victims, compromise can lead to additional service costs, loss in customer trust, and remediation costs.
