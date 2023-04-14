Cado Labs researchers have found a new Python-based credential harvester and hack tool known as “Legion.”

Legion, the virus program, was spotted spreading on Telegram with the intent to exploit numerous services.

Legion provides modules for enumerating susceptible SMTP servers, performing RCE, exploiting vulnerable versions of Apache, brute-forcing cPanel and WebHost Manager (WHM) accounts, and interfacing with Shodan’s API to get a target list.

Cado Labs researchers have discovered a new Python-based credential harvester and hack tool called “Legion.” This tool is being sold on Telegram and is designed to exploit various services. Legion includes modules for enumerating vulnerable SMTP servers, conducting Remote Code Execution (RCE), exploiting vulnerable versions of Apache, brute-forcing cPanel and WebHost Manager (WHM) accounts, and interacting with Shodan’s API to retrieve a target list.

About Legion

Legion’s main focus is email abuse and many of Legion’s utilities involve abusing Amazon Web Services. At the time of writing this, Legion has six detections on VirusTotal. The Legion sample is a Python3 script of 21015 lines that integrates with services like Twilio and Shodan and includes Telegram support with the ability to transfer the results of each module into a chat via the Telegram Bot API.

The malware appears to be distributed via a public Telegram group; however, the group owner once warned members that one of the users, myl3gion, was a scammer because he/she circulated a sample of Legion illegitimately. Cado Labs researchers also discovered a YouTube account with Legion tutorial videos, showing that the program is likely widely spread and possibly sponsored malware.

How does it work?

Legion targets web servers running CMS, PHP, or PHP-based frameworks. The tool uses RegEx patterns to extract credentials for various web services, including email providers, cloud service providers (AWS), server management systems, databases, and payment systems like PayPal. It is used to compromise these services in order to carry out large spamming attacks. In addition, the virus installs webshells, brute-forces CPanel or AWS accounts, and sends SMS messages to a list of generated US cell numbers.

Who is affected?

You can see the full list of services that Legion targets below:

Twilio

Nexmo

Stripe/Paypal (payment API function)

AWS console credentials

AWS SNS, S3, and SES specific credentials

Mailgun

Plivo

Clicksend

Mandrill

Mailjet

MessageBird

Vonage

Nexmo

Exotel

Onesignal

Clickatel

Tokbox

SMTP credentials

Database Administration and CMS credentials (CPanel, WHM, PHPmyadmin)

To send SMS messages, Legion targets the following US mobile carriers:

Alltel

Amp’d Mobile

AT&T

Boost Mobile

Cingular

Cricket

Einstein PCS

Sprint

SunCom

T-Mobile

VoiceStream

US Cellular

Verizon

Virgin

How to know if you are infected

Here is a list of things to look out for to see if you have been infected by the Legion virus.