Legion is modular malware which, according to Cado, is likely based on the AndroxGhOst malware and features modules to perform SMTP server enumeration, remote code execution, exploit vulnerable Apache versions, brute-force cPanel and WebHost Manager accounts, interact with Shodan’s API, and abuse AWS services.
The tool targets many services for credential theft, including Twilio, Nexmo, Stripe/Paypal (payment API function), AWS console credentials, AWS SNS, S3 and SES specific, Mailgun, and database/CMS platforms.
