AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

Avatar
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. “This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures,” CloudSEK said in a
[[{“value”:”

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.

“This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures,” CloudSEK said in a new report.

AndroxGh0st is the name given to a Python-based cloud attack tool that’s known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.

Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

Earlier this March, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for “victim identification and exploitation in target networks.”

The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access –

CVE-2014-2120 (CVSS score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
CVE-2018-10561 (CVSS score: 9.8) – Dasan GPON authentication bypass vulnerability
CVE-2018-10562 (CVSS score: 9.8) – Dasan GPON command injection vulnerability
CVE-2021-26086 (CVSS score: 5.3) – Atlassian Jira path traversal vulnerability
CVE-2021-41277 (CVSS score: 7.5) – Metabase GeoJSON map local file inclusion vulnerability
CVE-2022-1040 (CVSS score: 9.8) – Sophos Firewall authentication bypass vulnerability
CVE-2022-21587 (CVSS score: 9.8) – Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX21 firmware command injection vulnerability
CVE-2024-4577 (CVSS score: 9.8) – PHP CGI argument injection vulnerability
CVE-2024-36401 (CVSS score: 9.8) – GeoServer remote code execution vulnerability

“The botnet cycles through common administrative usernames and uses a consistent password pattern,” the company said. “The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings.”

The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named “Mozi.m” from different external servers (“200.124.241[.]140” and “117.215.206[.]216”).

Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.

While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn’t observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It’s suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st’s integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

“AndroxGh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations,” CloudSEK said.

“This would mean that AndroxGh0st has expanded to leverage Mozi’s propagation power to infect more IoT devices, using Mozi’s payloads to accomplish goals that otherwise would require separate infection routines.”

“If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both AndroxGh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

Texas-based oilfield supplier faces disruptions following ransomware attack

Next Post

Webinar: Learn How Storytelling Can Make Cybersecurity Training Fun and Effective

Related Posts

Experts Uncover 70,000 Hijacked Domains in Widespread ‘Sitting Ducks’ Attack Scheme

Multiple threat actors have been found taking advantage of an attack technique called Sitting Ducks to hijack legitimate domains for using them in phishing attacks and investment fraud schemes for years. The findings come from Infoblox, which said it identified nearly 800,000 vulnerable registered domains over the past three months, of which approximately 9% (70,000) have been subsequently
Avatar
Read More

The Problem of Permissions and Non-Human Identities – Why Remediating Credentials Takes Longer Than You Think

According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak, up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone. One of the more troubling aspects of this report is that over 90% of valid
Avatar
Read More