The threat actors behind the AndroxGh0st malware are now exploiting a wider set of security flaws affecting various Internet applications, as well as deploying the Mozi botnet malware.
“This botnet uses remote code execution and credential theft techniques to maintain constant access, using unpatched vulnerabilities to infiltrate critical infrastructures.” – CloudSEK said in a new report.
AndroxGh0st is the name given to a Python-based cloud attack tool known for targeting Laravel applications in order to obtain sensitive data from services such as Amazon Web Services (AWS), SendGrid, and Twilio.
Active since at least 2022, it previously exploited flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, elevate privileges, and establish permanent control over compromised systems.
Earlier this March, cyber security and intelligence services in the US revealed that attackers were deploying the AndroxGh0st malware to create a botnet to “identify victims and exploit them in targeted networks”.
The latest analysis by CloudSEK shows a strategic expansion of targeting, with the malware now exploiting a number of vulnerabilities for initial access –
- CVE-2014-2120 (CVSS Score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
- CVE-2018-10561 (CVSS Score: 9.8) – Dasan GPON Authentication Bypass Vulnerability
- CVE-2018-10562 (CVSS Score: 9.8) – Dasan GPON Team Implementation Vulnerability
- CVE-2021-26086 (CVSS Score: 5.3) – Atlassian Jira path traversal vulnerability
- CVE-2021-41277 (CVSS Score: 7.5) – GeoJSON metabase exposes local file inclusion vulnerability
- CVE-2022-1040 (CVSS Score: 9.8) – Sophos Firewall Authentication Bypass Vulnerability
- CVE-2022-21587 (CVSS Score: 9.8) – Unauthenticated Arbitrary File Download Vulnerability in Oracle E-Business Suite (EBS)
- CVE-2023-1389 (CVSS Score: 8.8) – TP-Link Archer AX21 Firmware Command Injection Vulnerability
- CVE-2024-4577 (CVSS Score: 9.8) – PHP CGI argument injection vulnerability
- CVE-2024-36401 (CVSS Score: 9.8) – GeoServer remote code execution vulnerability
“The botnet cycles through common admin usernames and uses a consistent password pattern,” the company said. “The destination URL redirects to /wp-admin/, which is the backend admin panel for WordPress sites. If the authentication is successful, he gets access to the important controls and settings of the website.’
Attackers have also been seen exploiting unauthenticated command execution bugs in Netgear DGN devices and Dasan GPON home routers to drop a payload called “Mozi.m” from various external servers (“200.124.241(.)140” and “117.215. 206( .)216”).
Mozzie is another known botnet which has a track record of hitting IoT devices to co-opt them into a malicious network to conduct distributed denial of service (DDoS) attacks.
Although the authors of the malware were arrested by Chinese law enforcement in September 2021, Mozi’s activity did not decline dramatically until August 2023, when unknown parties issued a shutdown command to eliminate the malware. It is suspected that either the creators of the botnet or the Chinese authorities distributed the update to dismantle it.
AndroxGh0st’s integration with Mozi has increased the ability to create an operational alliance, allowing it to be distributed to more devices than ever before.
“AndroxGh0st doesn’t just work with Mozi, it also embeds Mozi-specific features (such as IoT infection and propagation mechanisms) into its standard set of operations,” CloudSEK said.
“This would mean that AndroxGh0st has expanded to use Mozi’s distribution capabilities to infect more IoT devices, using Mozi’s payload to achieve targets that would otherwise require separate infection procedures.”
“If both botnets use the same command infrastructure, this indicates a high level of operational integration, possibly considering that AndroxGh0st and Mozi are controlled by the same cybercriminal group. This common infrastructure will streamline control over a wider range of devices. , increasing both the efficiency and effectiveness of their joint botnet operations.”