Significant developments have emerged in the Androxgh0st botnet, revealing its strategic expansion and integration with elements from the Mozi botnet.
CloudSEK’s Threat Research team today published a new report highlighting that Androxgh0st, active since January 2024, has begun to target web servers, exploiting vulnerabilities to infiltrate systems.
The findings show that this botnet is also deploying Mozi’s Internet of Things (IoT)-focused payloads, raising concerns about a potential operational alliance between the two botnets.
Exploiting High-Profile Vulnerabilities in Major Technologies
According to CloudSEK’s investigation, Androxgh0st leverages various vulnerabilities in high-profile technologies like Cisco ASA, Atlassian JIRA and multiple PHP frameworks. These vulnerabilities grant unauthorized access and facilitate remote code execution, allowing attackers to maintain persistent control over compromised systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in early 2024, alerting organizations to Androxgh0st’s capacity for systematic exploitation across various CVEs.
Key CVEs Used by Androxgh0st to Infiltrate Systems
Key vulnerabilities identified in Androxgh0st targets include:
-
PHP’s CVE-2017-9841 in PHPUnit, which allows backdoor access to websites
-
Laravel’s CVE-2018-15133, enabling encrypted code execution
-
Apache’s CVE-2021-41773, which allows path traversal attacks
Further analysis by CloudSEK revealed that Androxgh0st is also targeting IoT devices, a tactic historically associated with Mozi, which primarily impacted routers and DVRs across China, India and Albania before its creators were arrested in 2021.
Read more on IoT security: Half of IT Leaders Identify IoT as Security Weak Point
Despite Mozi’s disruption, Androxgh0st’s recent command-and-control logs suggest that Mozi’s payloads have been reintegrated into its botnet infrastructure, creating a more extensive infection network and increasing the threat’s reach to IoT environments.
Recommendations to Mitigate Androxgh0st Threat
To mitigate the risks posed by Androxgh0st, CloudSEK advises organizations to immediately patch affected software and network vulnerabilities. Regular system checks, vulnerability scans and updates are also essential in addressing these threats.