AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.

“This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures,” CloudSEK said in a new report.

AndroxGh0st is the name given to a Python-based cloud attack tool that’s known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

Earlier this March, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for “victim identification and exploitation in target networks.”

The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access –

• CVE-2014-2120 (CVSS score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
• CVE-2018-10561 (CVSS score: 9.8) – Dasan GPON authentication bypass vulnerability
• CVE-2018-10562 (CVSS score: 9.8) – Dasan GPON command injection vulnerability
• CVE-2021-26086 (CVSS score: 5.3) – Atlassian Jira path traversal vulnerability
• CVE-2021-41277 (CVSS score: 7.5) – Metabase GeoJSON map local file inclusion vulnerability
• CVE-2022-1040 (CVSS score: 9.8) – Sophos Firewall authentication bypass vulnerability
• CVE-2022-21587 (CVSS score: 9.8) – Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
• CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX21 firmware command injection vulnerability
• CVE-2024-4577 (CVSS score: 9.8) – PHP CGI argument injection vulnerability
• CVE-2024-36401 (CVSS score: 9.8) – GeoServer remote code execution vulnerability

“The botnet cycles through common administrative usernames and uses a consistent password pattern,” the company said. “The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings.”

The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named “Mozi.m” from different external servers (“200.124.241[.]140” and “117.215.206[.]216”).

Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.

While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn’t observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It’s suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st’s integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

“AndroxGh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations,” CloudSEK said.

“This would mean that AndroxGh0st has expanded to leverage Mozi’s propagation power to infect more IoT devices, using Mozi’s payloads to accomplish goals that otherwise would require separate infection routines.”

“If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both AndroxGh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.