The cyber operators wielding AndroxGh0st malware are now orchestrating broader attacks by exploiting a wider array of vulnerabilities in internet-accessible applications, utilizing the notorious Mozi botnet as part of their enhanced offensive.
CloudSEK, a cybersecurity firm, has reported that this botnet employs advanced techniques for remote code execution and credential theft, enabling it to secure persistent footholds within compromised systems by exploiting unaddressed security weaknesses that leave crucial infrastructure exposed.
AndroxGh0st is a potent Python-driven attack framework aimed specifically at compromising cloud platforms, particularly applications built on the Laravel framework, with an intent to capture sensitive information linked to services like Amazon Web Services (AWS), SendGrid, and Twilio.
Active since at least 2022, AndroxGh0st has previously exploited vulnerabilities in Apache (CVE-2021-41773), Laravel (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to infiltrate systems, escalate privileges, and establish enduring control within compromised environments.
In March, U.S. cybersecurity and intelligence agencies disclosed that malicious actors are deploying AndroxGh0st to construct botnets aimed at reconnaissance and exploitation across selected networks.
CloudSEK’s latest findings reveal that AndroxGh0st is now strategically widening its range of targets by leveraging an array of vulnerabilities to achieve initial infiltration:
- CVE-2014-2120 (CVSS score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
- CVE-2018-10561 (CVSS score: 9.8) – Dasan GPON authentication bypass
- CVE-2018-10562 (CVSS score: 9.8) – Dasan GPON command injection
- CVE-2021-26086 (CVSS score: 5.3) – Atlassian Jira path traversal vulnerability
- CVE-2021-41277 (CVSS score: 7.5) – Metabase GeoJSON map local file inclusion vulnerability
- CVE-2022-1040 (CVSS score: 9.8) – Sophos Firewall authentication bypass
- CVE-2022-21587 (CVSS score: 9.8) – Oracle E-Business Suite arbitrary file upload vulnerability
- CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX21 firmware command injection
- CVE-2024-4577 (CVSS score: 9.8) – PHP CGI argument injection
- CVE-2024-36401 (CVSS score: 9.8) – GeoServer remote code execution vulnerability
The botnet cycles through frequently used administrative credentials, following a distinctive password format. If successful, it redirects the targeted URL to /wp-admin/
, granting full access to the WordPress administrative console and its critical settings.
Additionally, these attacks exploit unauthenticated command execution flaws in certain Netgear DGN models and Dasan GPON home routers to deploy a payload termed “Mozi.m” sourced from external IP addresses (200.124.241[.]140
and 117.215.206[.]216
).
Mozi, an infamous botnet that primarily targets IoT devices, coerces them into its malicious network to execute distributed denial-of-service (DDoS) attacks. Though its creators were apprehended by Chinese authorities in 2021, significant Mozi activity persisted until August 2023, when a kill-switch command—likely issued by the original developers or state authorities—rendered the botnet inactive.
The convergence of AndroxGh0st with Mozi raises speculation of a collaborative operational alignment, enabling AndroxGh0st to proliferate across a greater expanse of devices.
“AndroxGh0st isn’t merely aligning with Mozi; it’s embedding Mozi’s infection techniques for IoT systems and its dissemination mechanisms into its operational framework,” CloudSEK remarked.
This integration suggests that AndroxGh0st is leveraging Mozi’s propagation capabilities to infect an extended array of IoT devices, achieving objectives that would otherwise necessitate distinct infection procedures.
If both botnets indeed operate under a shared command infrastructure, this implies a high degree of operational synchronization, potentially under the control of a unified cybercriminal entity. Such an integrated infrastructure would amplify control over a vast network of devices, magnifying both the scope and efficacy of these coordinated botnet operations.