Back

Androxgh0st Botnet Adopts Mozi Payloads, Expands IoT Reach

Illustration of Androxgh0st botnet attacking IoT devices, showing network vulnerabilities and cyberattack elements.
androxgh0st-botnet-attack-iot.png

Introduction to the Androxgh0st Botnet’s Expansion

CloudSEK’s Threat Research team recently published a report uncovering that the Androxgh0st botnet, active since January 2024, has started targeting web servers and exploiting vulnerabilities to infiltrate systems.

The findings reveal that Androxgh0st is deploying payloads originally from the Mozi botnet, raising concerns about a potential operational alliance that may expand the scope of IoT-based attacks.

Exploiting High-Profile Vulnerabilities in Major Technologies

According to CloudSEK’s investigation, Androxgh0st leverages multiple vulnerabilities found in high-profile technologies, including Cisco ASA, Atlassian JIRA, and several PHP frameworks.

By exploiting these vulnerabilities, attackers can gain unauthorized access and execute remote code, maintaining persistent control over compromised systems.

US CISA Advisory on Androxgh0st Threat

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in early 2024, alerting organizations to Androxgh0st’s capabilities for systematic exploitation across a variety of Common Vulnerabilities and Exposures (CVEs).

Key CVEs Used by Androxgh0st to Infiltrate Systems

Androxgh0st has been observed exploiting specific CVEs to infiltrate systems, including:

  • PHP CVE-2017-9841 in PHPUnit: Allows backdoor access to websites.
  • Laravel CVE-2018-15133: Enables encrypted code execution, compromising security.
  • Apache CVE-2021-41773: Allows path traversal attacks, exposing sensitive directories.

Androxgh0st’s IoT Focus and Potential Alliance with Mozi Botnet

Further analysis by CloudSEK suggests that Androxgh0st is targeting IoT devices, a tactic historically associated with the Mozi botnet, which primarily impacted routers and DVRs across regions such as China, India, and Albania.

Reintegration of Mozi Payloads

Despite Mozi’s disruption following arrests in 2021, Androxgh0st’s recent command-and-control logs indicate the reintegration of Mozi’s IoT payloads into its botnet infrastructure. This shift expands Androxgh0st’s infection network and heightens the threat to IoT environments.

Recommendations to Mitigate Androxgh0st Threat

To mitigate the risks posed by Androxgh0st, CloudSEK recommends organizations adopt the following measures:

  • Patch Vulnerabilities: Regularly update affected software to close exploitable vulnerabilities.
  • Conduct System Checks: Perform routine system checks to identify potential security threats.
  • Schedule Vulnerability Scans: Implement scheduled vulnerability scans to detect and address weaknesses.

Conclusion

The expansion of the Androxgh0st botnet through Mozi payloads poses a serious risk to IoT infrastructure. Organizations should take proactive steps to secure systems and protect against these sophisticated attacks.

 

Source: Infosecurity-magazine.com

LatestNews: CIM