Androxgh0st botnet integrates Mozi payloads to target IoT devices

Androxgh0st, a botnet known to steal cloud credentials and exploit vulnerabilities in web frameworks and servers, is now also targeting IoT devices such as home routers, security firm CloudSEK said in a new report.

It seems that some of the IoT exploits have been borrowed from a Chinese botnet dubbed Mozi that was believed to be defunct.

Since January, when Androxgh0st was the subject of a joint FBI and CISA advisory, the botnet operators appear to have integrated exploits for additional vulnerabilities aside from the IoT ones. The technologies targeted now include Cisco ASA, Atlassian JIRA, Metabase GeoJSON, Oracle EBS and Sophos Firewall.

“This clearly outlines the heightened activity from the botnet operators, as they are now focusing on a wide range of web application vulnerabilities in order to obtain initial access, in addition to the 3 CVEs reported earlier by CISA,” the CloudSEK researchers said.

Androxgh0st is stealing cloud credentials

Androxgh0st is a piece of malware written in Python that has been around since 2022. It infects systems through vulnerabilities in web-based applications and then establishes backdoor access. It also scans servers and databases for credentials that it can use to further spread itself.

When CISA released its advisory in January, Androxgh0st had three methods of propagation. One was through a known remote code execution vulnerability in PHPUnit (CVE-2017-9841), an automated testing framework for PHP code that is popular with developers.

Another method was by scanning the Internet for web applications built with the Laravel web application framework and then checking to see if the environment (.env) file is readable and exposed. Such files contain environment variables including credentials for various cloud APIs and databases. CISA warned that the attackers were particularly interested in credentials for Amazon Web Services (AWS), Microsoft Office 365, SendGrid and Twilio.

The malware could also access the access key for the Laravel application by exploiting a cross-site request forgery (XSRF) issue and then achieve remote code execution. This vulnerability is tracked as CVE-2018-15133.

Finally, the malware also targeted certain versions of the Apache web server (2.4.49 or 2.4.50) with common gateway interface (CGI) scripts enabled and files unprotected to a path traversal attack. This configuration issue can be exploited to achieve remote code execution.

Androxgh0st has new exploitation capabilities

According to CloudSEK, Androxgh0st has since become much more powerful and has added nine additional exploits. Even though all these exploits are for known vulnerabilities and some are old, it allows the malware to compromise a much wider range of outdated devices.

One vulnerability tracked as CVE-2014-2120 is located in the WebVPN login page of Cisco ASA appliances and allows attackers to inject arbitrary web scripts and HTML into the page, resulting in arbitrary file uploads and the modification and backdooring of PHP files.

A second one is a path traversal issue in Atlassian’s Jira Software Server. Tracked as CVE-2021-26086 the flaw allows reading information from sensitive files on the server.

The third vulnerability is a local file inclusion issue in business analytics software Metabase tracked as CVE-2021-41277. Another arbitrary file upload issue that the malware exploits is located in Oracle E-Business Suite (EBS) and is tracked as CVE-2022-21587.

Androxgh0st also targets an authentication bypass vulnerability in Sophos Firewall that leads to remote code execution (CVE-2022-1040) and an argument Injection flaw in the PHP CGI module tracked as CVE-2024-4577.

Exploits for remote code execution vulnerabilities in GeoServer (CVE-2024-36401) and a WordPress plug-in called Background Image Cropper v1.2 are also exploited by the botnet.

IoT vulnerabilities inherited from Mozi

One interesting addition to its arsenal is a range of exploits for vulnerabilities in several home and gigabit passive optical network (GPON) routers distributed by ISPs. These include an unauthenticated command injection (CVE-2023-1389) in TP-Link Archer AX21, a remote code execution flaw in OptiLink ONT1GEW GPON, and an unauthenticated command execution issue in Netgear DGN devices, and two vulnerabilities in Dasan GPON home routers, an authentication bypass and a command injection.

Some of these exploits and payloads seem to have been inherited from Mozi, a botnet of Chinese origin, whose creators were supposedly arrested by Chinese authorities in 2021. Following the law enforcement action, an update was distributed to the Mozi botnet clients that disrupted their ability to connect to the internet, therefore crippling the botnet and leaving only a small fraction of nodes active.

“It’s possible that Androxgh0st has fully integrated Mozi’s payload as a module within its own botnet architecture,” the CloudSEK researchers said. “In this case, Androxgh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT infection & propagation mechanisms) into its standard set of operations.”

Another possibility is that the same cybercriminal group is in control of the command-and-control infrastructure of both botnets and is using them interchangeably on the same devices, which would point to a high level of operational integration.

CloudSEK advises organizations to scan for devices or applications vulnerable to these exploits on their networks and patch them as soon as possible as the number of Androxgh0st infections continues to rise.