Published April 3, 2023
Author: Ash Khan

AlienFox malware is a troubling development in cloud attacks. It was previously primarily limited to cryptocurrency mining. It is a rapidly changing tool that can be used to infiltrate email and web hosting services.

The Cybersecurity website claims the toolkit is advertised on Telegram to hack into improperly set-up hosts on cloud service platforms. It collects private data like API credentials and other secrets.

According to the director of threat research, it’s a comparatively new development in opportunistic cloud assaults.

Attacks on resource-poor, minimum services made possible by AlienFox tools. They discovered that attackers use it to find and gather service credentials from exposed or improperly set up services. They achieved this by analyzing the tools and tool output. Compromise can result in higher service costs, a decline in client confidence, and higher redress costs for victims.

Additionally, it may pave the way for additional illegal activities. The scripts in later versions of AlienFox enable permission escalation in AWS accounts and persistence establishment using stolen passwords, among other malicious operations. Through victim accounts and services, another script executes spam operations.

Servers with configuration issues

Attackers can gather lists of misconfigured hosts using AlienFox and scanning tools like LeakIX and SecurityTrails. It is displaying a trend among threat actors that involves the use of legitimate security tools. The most notorious is the threat emulation tool Cobalt Strike, which is in their malicious activities.

They use a variety of scripts in the toolkit to take private data from servers. Normally they are improperly set up on cloud platforms like Amazon Web Services and Microsoft Office 365. Although the AlienFox software can be applied to a variety of online services. It is noted that they mainly target cloud-based and software-as-a-service (SaaS) email hosting services.

Moreover, most exploited setup errors are related to various web platforms, such as Laravel, Drupal, WordPress, and OpenCart. A catalog of targets produced by a different script, such as grabipe.py and grabsite.py. It is included in the AlienFox scripts’ cloud services check. The targeting scripts use web APIs for open-source intelligence systems and brute force techniques for IP addresses and subnets.

The criminals move in for confidential data when they discover a vulnerable website. Furthermore,  the applications aimed at tokens and other secrets from over a dozen cloud services. It includes Google Workspace, Nexmo, Twilio, and OneSignal in addition to AWS and Office 365.

Extremely flexible threat

AlienFox is an extremely flexible modular open-source toolkit. It appears that some modules are also accessible on GitHub, leading to ongoing modifications and numerous variants.

In more recent iterations, performance concerns have taken precedence, as shown by the development of recurring features.


Moreover, data security experts are concerned that it poses a serious threat given the huge amounts of confidential data stored in cloud-based email systems.
The rise of toolkits like AlienFox highlights the growing complexity of attacker networks and their combined capacity for damage and disruption. The fact is that the attackers behind it are modifying the tool to be successful against more targets. It is especially those used frequently by businesses.

So far three versions

SentinelOne has so far identified three different variations of AlienFox. The earliest of which was discovered in February 2022. Some of the scripts discovered have been classified as malware families by other researchers.

Additionally, it’s important to note that in all the SES-abusing toolkits we looked at target sites running the Laravel PHP framework. It means that Laravel is especially prone to vulnerabilities or misconfigurations, the author noted.

The organization of malware v4 differs from previous versions; for instance, each tool has a number identifier, such as Tool1 and Tool2. Moreover, some new tools indicate that the developers are searching for new users or expanding the functionality of current toolkits. For instance, one can check to see if email addresses are connected to Amazon shopping accounts. If not, the script will use the email address to establish a fresh Amazon account. Another generates Bitcoin and Ethereum money wallet keys. Given its continuing development, AlienFox is probably going to be around for a while.

Cloud services have strong, well-documented APIs, which allows programmers of all skill levels to easily create infrastructure for the service. The toolset has progressively become better with improved coding techniques as well as the inclusion of new components and powers.