Mozi Botnet Re-Emerges as Androxgh0st in New Wave of IoT Exploits

Smominru

The notorious Mozi botnet, once believed to be largely defunct following law enforcement actions, has resurfaced in a powerful new avatar: Androxgh0st. CloudSEK’s recent report reveals that Androxgh0st has integrated Mozi’s IoT-focused payloads, sparking a surge of attacks on web servers and vulnerable IoT devices. Active since January 2024, the Androxgh0st botnet has expanded its arsenal, targeting a range of software vulnerabilities, including those in Cisco ASA, Atlassian JIRA, and PHP frameworks.

CloudSEK’s Threat Research team has identified significant developments in the Androxgh0st botnet, revealing its exploitation of multiple vulnerabilities and a potential operational integration with the Mozi botnet,” the report states. This operational integration gives Androxgh0st the means to exploit both web application flaws and IoT-specific vulnerabilities.

Androxgh0st’s unique modus operandi combines techniques from the Mozi botnet with new vulnerabilities in software systems. CloudSEK’s report highlights several key exploits:

  1. PHP Vulnerability (CVE-2017-9841): Androxgh0st targets PHPUnit’s exposed /vendor folders, using the eval-stdin.php endpoint to execute remote code and establish backdoor access.
  2. Laravel Application Key Exploits (CVE-2018-15133): By scanning for exposed Laravel .env files, Androxgh0st can steal application credentials and potentially execute encrypted PHP code.
  3. Apache Path Traversal (CVE-2021-41773): Targeting specific versions of Apache, Androxgh0st exploits path traversal to execute code and gain unauthorized access to files.

Additionally, Androxgh0st takes advantage of recent vulnerabilities in widely used platforms, including Cisco ASA, Sophos Firewalls, and WordPress plugins. The report urges organizations to patch these vulnerabilities, emphasizing that “CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access.”

While Mozi was once believed to be dismantled, Androxgh0st’s operational use of Mozi payloads suggests otherwise. By leveraging Mozi’s well-documented IoT infection and propagation methods, Androxgh0st has been able to enhance its reach and impact. The report notes that “Androxgh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalitiesinto its standard set of operations,” expanding Androxgh0st’s capabilities to compromise IoT devices at scale.

Both botnets appear to share a common command and control (C2) infrastructure, suggesting that the same threat actor may be orchestrating this unified campaign. “If both botnets are using the same command infrastructure, it points to a high level of operational integration,” CloudSEK analysts explain, noting that this collaboration enhances both the reach and efficiency of the attacks.

Androxgh0st botnet

Bots by country | Image: CloudSEK

With over 500 devices infected so far, Androxgh0st’s resurgence has put organizations on high alert. To counteract this threat, CloudSEK’s report offers a comprehensive list of defense strategies:

  1. Check Logs for Unusual Web Requests: Look for HTTP requests with unexpected parameters, like wget and curl, which may indicate command injection attempts.
  2. Regularly Update Software: Ensure all IoT devices, servers, and software platforms are running the latest patches to prevent exploitation of known vulnerabilities.
  3. Inspect Temporary Directories: Androxgh0st commonly uses /tmp and /var/tmp directories to store malicious scripts. Files with recent changes or executable permissions in these directories should be flagged for further inspection.
  4. Implement Network Monitoring: Monitor for unusual outbound connections or high volumes of outbound traffic, as infected devices may participate in botnet activity or DDoS attacks.

CloudSEK’s findings emphasize the urgency of adopting these measures, warning that failure to act may lead to exploitation by this potent and evolving botnet.

Related Posts: