Androxgh0st botnet expands with Mozi IoT capabilities

CloudSEK's Threat Research team has identified a significant enhancement in the capabilities of the Androxgh0st botnet.

CloudSEK has reported that the Androxgh0st botnet, which has been active since January 2024, has expanded its targets beyond web servers to include a wide range of vulnerabilities in systems such as Cisco ASA, Atlassian JIRA, and PHP frameworks. More pertinently, Androxgh0st now incorporates components of the Mozi botnet, extending its range of attack to Internet of Things (IoT) devices globally.

According to the threat analysis, Androxgh0st's command and control (C2) infrastructure now includes the ability to deploy Mozi's payloads. This marks a shift to a more unified botnet infrastructure with Androxgh0st adopting Mozi's IoT infiltration techniques. Mozi was known for its ability to infect IoT devices, including Netgear and D-Link routers before a killswitch was activated in 2021. This integration extends Androxgh0st's reach and capabilities considerably.

The Androxgh0st botnet's recent activities show that it can exploit critical vulnerabilities in various systems. These include cross-site scripting vulnerabilities in Cisco ASA systems, path traversal issues in Atlassian JIRA (CVE-2021-26086), and vulnerabilities in PHP frameworks such as Laravel (CVE-2018-15133) and PHPUnit (CVE-2017-9841). Additionally, the botnet exploits newer vulnerabilities like CVE-2023-1389 in TP-Link Archer AX21 firmware and CVE-2024-36401 in GeoServer, demonstrating its adaptability to new threats.

CloudSEK's research also highlights Androxgh0st's attack methods which include brute-force credential attacks, command injection, and malware propagation. The botnet's use of Mozi's IoT capabilities means it can now exploit misconfigured routers and devices globally, impacting regions across Asia and Europe, and potentially extending beyond.

In response to these developments, CloudSEK emphasises that the integration of Mozi botnet features and new exploit techniques mark a significant escalation in the Androxgh0st botnet's capabilities. Organisations worldwide are advised to adopt various security measures to mitigate these threats.

Shashank Shekhar, Managing Editor at CloudSEK, urges organisations to "apply patches for vulnerabilities exploited by Androxgh0st, particularly on Cisco ASA, TP-Link, Atlassian JIRA, PHP frameworks, and routers."

Organisations are also recommended to "track suspicious outbound connections and anomalous login attempts, especially from IoT devices vulnerable to Androxgh0st-Mozi collaboration," according to the research findings.

CloudSEK also advises performing detailed log analysis to detect any signs of compromise. Reviewing HTTP and web server logs for suspicious GET or POST requests that might indicate command injections is critical, particularly those targeting paths such as /cgi-bin/admin.cgi and /setup.cgi.

Finally, enhancing endpoint detection remains a crucial strategy in combating these attacks. The use of Endpoint Detection and Response (EDR) tools is recommended to detect unauthorised processes, particularly in directories like /tmp and /dev/shm, commonly used by Androxgh0st for persistence.

Androxgh0st's recent developments demonstrate its growing capability to cause harm, and CloudSEK's findings underline the importance of being vigilant and prepared to address this advancing cyber threat.