Chasing Androxgh0st: Attribution in an Open-Source Cloud Malware Ecosystem

Alex Delamotte

Androxgh0st is a Python class that parses web server environment files for secrets. First seen on GitHub in 2020, countless actors have integrated the code into their tools, including more robust toolsets such as the AlienFox, Legion, and Predator cloud infostealers. Despite each actor’s efforts to hide their tool’s source code, these tools are ultimately cracked and the source code is redistributed through open-source platforms, including GitHub, Pastebin, and VirusTotal.

So, how can researchers attribute tools in an open-source malware ecosystem? This talk explores the operational security profiles of these developers and how they distribute the tools. We will focus on the trademarks embedded in the tools and where researchers can find these artifacts, including banners, help messages, and configuration files.

The actors behind these tools must strike a difficult balance between marketing their tools to new buyers and maintaining anonymity. We will explore the sale of tools through Telegram channels and personal websites, and the regional nexus in Southeast Asia and Africa, where many of these developers reside.