AndroxGh0st Malware Leverages Mozi Botnet for Enhanced IoT and Cloud Attacks

November 8, 2024

The AndroxGh0st malware, notorious for its Python-based cloud attack tool targeting Laravel applications and sensitive data from services like Amazon Web Services (AWS), SendGrid, and Twilio, is now exploiting a wider range of security vulnerabilities. Since its inception in 2022, it has exploited vulnerabilities in Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

In March, U.S. cybersecurity and intelligence agencies reported that attackers were using the AndroxGh0st malware to establish a botnet for identifying and exploiting targets in networks. CloudSEK's latest analysis reveals a strategic shift in the malware's targeting focus, now exploiting a variety of vulnerabilities for initial access. "The botnet cycles through common administrative usernames and uses a consistent password pattern," CloudSEK stated.

The malware also targets the backend administration dashboard for WordPress sites, gaining access to critical website controls and settings if authentication is successful. Additionally, the malware has been observed exploiting unauthenticated command execution vulnerabilities in Netgear DGN devices and Dasan GPON home routers to drop a payload named "Mozi.m" from different external servers.

Mozi, another infamous botnet known for attacking IoT devices and incorporating them into a malicious network for conducting DDoS attacks, is now linked with AndroxGh0st. Despite the arrest of Mozi's creators in 2021, the botnet remained active until an unidentified party issued a kill switch command in August 2023. It's speculated that either the botnet creators or Chinese authorities issued an update to dismantle it.

The integration of Mozi into AndroxGh0st suggests a potential operational alliance, enabling the malware to spread to more devices than ever before. "AndroxGh0st is not just collaborating with Mozi but embedding Mozi's specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations," CloudSEK reported. This implies that AndroxGh0st is leveraging Mozi's propagation power to infect more IoT devices, using Mozi's payloads to achieve objectives that would otherwise necessitate separate infection routines. If both botnets are using the same command infrastructure, it suggests a high level of operational integration, possibly indicating that both AndroxGh0st and Mozi are controlled by the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing the effectiveness and efficiency of their combined botnet operations.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.