Some targeted credentials don't seem to be directly tied to spam but could be used to support the attackers' operations, such as databases and web hosting administration panels.
Other services targeted by Legion's credential harvesting functionality include Twilio, Nexmo, Stripe/Paypal, AWS console credentials, AWS SNS, S3 and SES specific credentials, Mailgun, Plivo, Clicksend, Mandrill, Mailjet, MessageBird, Vonage, Nexmo, Exotel, Onesignal, Clickatel, and Tokbox. The tool also attempts to brute-force credentials for SendGrid, a platform for email marketing. For example, collected AWS IAM credentials are tested to see if they work with the Amazon Simple Email Service (SES). Some of the cloud platform credentials targeted also seem to be tied to this end goal. Some services also provide email to SMS functionality via SMTP and the Legion contains a script for sending SMS in this way to most US mobile carriers. The end goal of the attackers who use Legion is to launch mass spam campaigns via email and SMS by using hijacked Simple Mail Transfer Protocol (SMTP) credentials.
Nevertheless, the new improved sample analyzed by Cado had zero detections on the multi-engine scan site Virus Total, meaning its developers are well versed in evading detection. The Cado researchers first documented Legion's capabilities last month, but the malware seems similar to a tool that researchers from Lacework analyzed in December and dubbed AndroxGh0st. Deploying webshells Other tools for abusing AWS services.Brute-forcing cPanel and WebHost Manager (WHM) accounts.Exploiting vulnerable versions of Apache.Launching remote code execution (RCE) exploits against web applications.