Introduction
The Androxgh0st botnet [1] [2], active since January 2024 [1] [2], has expanded its operations by incorporating tactics and payloads from the Mozi botnet. This development poses a significant threat to web servers and Internet of Things (IoT) devices, exploiting various vulnerabilities across multiple platforms.
Description
The Androxgh0st botnet [1] [2], active since January 2024 [1] [2], has significantly expanded its operations by integrating payloads and tactics from the Mozi botnet, particularly targeting web servers and Internet of Things (IoT) devices. It exploits a range of vulnerabilities across various platforms, including high-profile weaknesses in technologies such as Cisco ASA [1], Atlassian JIRA [1] [2], and multiple PHP frameworks [1]. Notably, it utilizes vulnerabilities like PHP’s CVE-2017-9841 in PHPUnit [1], Laravel’s CVE-2018-15133 [1], and Apache’s CVE-2021-41773 [1], which facilitate unauthorized access [1], remote code execution [1] [2], and path traversal attacks [1]. Additionally, it has been identified as exploiting CVE-2023-1389 and CVE-2024-36401 since at least August 2024 [2], focusing on a wide array of web application vulnerabilities for initial access [2].
The botnet’s tactics include command injection, credential stuffing [2], and file inclusion [2], which are reminiscent of Mozi’s previous operations that primarily affected routers and DVRs in countries like China [1], India [1], and Albania before the arrest of its creators in 2021 [1]. Recent command-and-control logs suggest that Mozi’s payloads have been fully integrated into Androxgh0st’s infrastructure [1], enhancing its infection network and extending its threat to IoT environments [1]. This operational integration indicates a potential connection between the two botnets, possibly controlled by the same cybercriminal group utilizing a shared command infrastructure [2].
To mitigate the risks associated with Androxgh0st [1], it is crucial for organizations to promptly patch affected software and network vulnerabilities [1], alongside conducting regular system checks [1], vulnerability scans [1], and updates [1]. Immediate security measures are essential to address this complex and evolving threat landscape.
Conclusion
The integration of Mozi’s tactics into the Androxgh0st botnet underscores the evolving nature of cyber threats, particularly to IoT environments. Organizations must remain vigilant, implementing timely patches and conducting regular security assessments to mitigate these risks. As cybercriminals continue to adapt and enhance their methods, proactive and comprehensive security strategies will be vital in safeguarding against such sophisticated threats.
References
[1] https://www.infosecurity-magazine.com/news/androxgh0st-botnet-adopts-mozi/
[2] https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave
