Everything you need to know about the Legion hacking tool

Published May 03, 2023 by Xiph

The digital world is always changing which means cyber criminals must find new and innovative ways to exploit the internet. A Python-based credential harvester called ‘Legion’ is the latest hacking tool trending on the dark web and Telegram. This hacking tool can exploit various online services including emails and SMS text messages. Here’s what we know about Legion so far.

Legion hacking tool

What is Legion?

The Legion hacking tool is programmed to find and steal from vulnerable or exposed web servers. It uses a scraping tool to scan Shodan (a search engine of connected devices) to find misconfigured cloud servers and vulnerable simple mail transfer protocol (SMTP) servers. Legion can then hijack those servers and weaponise them for follow-on attacks, including phishing campaigns and spam attacks.


Read more: Common types of malware & how to avoid them


Legion’s functionality

Legion seems to primarily target web servers running content management systems (CMS) like WordPress and web development platforms. It can also send SMS text messages to launch mobile-based phishing attacks by leveraging stolen SMTP credentials and generating a list of phone numbers retrieved from online services. Various U.S. telecommunications providers have already been targeted and cyber experts believe Canada and Australia could be next.

Legion can retrieve credentials from misconfigured web servers by targeting environment variable files (.env) and configuration files that might contain SMTP (email and SMS) services. The hacking tool features modules to perform SMTP server enumeration, remote code execution, exploit vulnerable HTTP servers, conduct brute-force attacks, and interact with API and Amazon Web Services (AWS). 

In layman’s terms, Legion can extract credentials from a wide range of web services, such as email providers, cloud service providers, server management systems, databases, and even from payment providers like PayPal.

Legion: Who’s been affected?

So far, only established companies and services have been targeted, but it won’t be long before smaller firms and providers find themselves in the line of fire. Here is a list of APIs and cloud services that have already been targeted:

  • AWS console credentials
  • AWS SNS, S3, and SES specific credentials
  • Clickatel
  • Clicksend
  • Database Administration and CMS credentials (CPanel, WHM, PHPmyadmin)
  • Exotel
  • Mailgun
  • Mailjet
  • Mandrill
  • MessageBird
  • Nexmo
  • Onesignal
  • PayPal/Stripe (payment API function)
  • Plivo
  • SMTP credentials
  • Tokbox
  • Twilio
  • Vonage.

Here is a list of U.S. mobile carriers that have been targeted by Legion malware:

  • Alltel
  • Amp'd Mobile
  • AT&T
  • Boost Mobile
  • Cricket
  • T-Mobile
  • US Cellular
  • Verizon
  • Virgin Mobile/Boost Mobile
  • T-Mobile.

Legion: Who’s behind it?

It’s not entirely clear where the Legion hacking tool originates from (or who’s behind it), although linguistic signs suggest the malware came from somewhere in Indonesia. The malware is part of a new cloud credential harvesting and spam ware generation. The developers of these tools often steal code from each other, so this makes attribution difficult.

The Legion malware is a modular malware (which attacks a system in different stages) likely based on the AndroxGhOst malware, first reported in December 2022. AndroxGhOst was part of the AlienFox toolkit, which is sold to hackers to steal API keys and data from cloud services.

Legion hacking tool

Is Legion on Telegram?

Legion is being spruiked and sold on multiple Telegram channels by cyber criminals who use the moniker ‘Forza Tools’. This is not surprising considering the encrypted messaging platform has been used for nefarious activities for years. It is very much a command centre for hackers and organised crime syndicates. What’s new, however, is that those cyber criminals also had a YouTube channel with tutorials on how to execute the malware.

What’s credential harvesting?

Credential harvesting is a form of cyber attack that involves gaining access to servers or networks to steal credentials virtually. These credentials often include usernames, passwords, email addresses, and activity logs. They provide open access to an organisation's database, network, and systems. Some known tactics hackers use to illegally harvest credentials include social engineering techniques, weaponised attachments/links, digital skimming, man-in-the-middle (MiTM) attacks, and DNS poisoning. 


Read more: Vulnerability assessments for businesses


A final word

Despite advancements in password protection and multi-factor authentication (MFA), credential theft remains one of the top cyber attacks, and the discovery of Legion is just the latest example of how this type of cyber threat evolves. It further highlights the importance of reviewing existing security processes and ensuring corporate data (more specifically credential and user information) is stored and managed appropriately. If credentials are to be stored in a .env file, they should be stored outside web server directories so that they’re not accessible from the web. For more information, contact us via email: [email protected].


Posted in: Security

Get In Touch