Headline
Androxgh0st Botnet Targets IoT Devices, Exploiting 27 Vulnerabilities
Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.
****KEY POINTS****
Rapid Vulnerability Exploitation: The Androxgh0st botnet has expanded its arsenal, exploiting 27 vulnerabilities across web servers, IoT devices, and various technologies, including Cisco ASA, Atlassian JIRA, and TP-Link routers.
Integration with Mozi Botnet: The botnet incorporates Mozi payloads, targeting IoT devices and potentially sharing command-and-control infrastructure, signaling increased coordination and sophistication.
Focus on Weak Security Practices: Androxgh0st employs brute-force attacks, credential stuffing, and exploitation of devices with default or weak passwords to gain administrative access and maintain persistence.
Global and Chinese-Specific Targets: The botnet exploits vulnerabilities in both global systems and Chinese-specific technologies, with evidence pointing to links to Chinese CTF communities and Mandarin-based phishing tactics.
Urgent Call for Patching: Researchers recommend immediate patching of all affected systems to mitigate risks, including remote code execution, data breaches, and ransomware attacks.
CloudSEK’s contextual AI digital risk platform Xvigil has uncovered a significant evolution in the Androxgh0st botnet, revealing its exploitation of over 20 vulnerabilities and operational integration with the Mozi botnet with expected rise of, at least, 75% more web-application vulnerabilities by mid- 2025.This indicates a significant increase in Androxgh0st’s initial attack vector arsenal from 11 in November 2024 to around 27 within a month.
For your information, CISA issued an advisory earlier this year regarding Androxgh0st’s expanding attack surface, including Cisco ASA, Atlassian JIRA, and PHP frameworks, allowing unauthorized access and remote code execution.
CloudSEK’s research highlights Androxgh0st’s expansion beyond its initial focus on web servers, now incorporating IoT-focused Mozi payloads. It is actively exploiting 27 vulnerabilities across various technologies.
These include exploiting a web script injection vulnerability (CVE-2014-2120) in Cisco ASA, leveraging a path traversal vulnerability (CVE-2021-26086) for remote file reading, exploiting a local file inclusion vulnerability (CVE-2021-41277) for arbitrary file downloads, and targeting vulnerabilities in PHPUnit, Laravel, PHP-CGI, TP-Link routers, Netgear devices, and GPON routers.
Numerous other vulnerabilities are exploited now, including those in Sophos Firewall, Oracle EBS, OptiLink ONT1GEW, Spring Cloud Gateway, and various Chinese-specific software. The Sophos Authentication bypass vulnerability leads to Remote Code Execution (RCE) in the firewall’s User Portal and Webadmin web interfaces, allowing an unauthenticated attacker to execute arbitrary code.
This vulnerability is also present in Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload, which can be exploited to gain remote code execution as an Oracle user. OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 also allows remote code execution (authenticated). Finally, PHP CGI argument injection issue (CVE-2024-4577) is another issue affecting PHP-CGI.
This exploitation enables unauthorized access and remote code execution, posing significant risks to global web servers and IoT networks. Moreover, the botnet’s growing sophistication is evident in its shared infrastructure, persistent backdoor tactics, and the incorporation of Mozi payloads, the report read.
The research indicates a significant operational overlap between Androxgh0st and the Mozi botnet, with Androxgh0st deploying Mozi payloads to infect IoT devices and potentially sharing command and control infrastructure, suggesting a high level of coordination or unified control structure.
Further probing revealed that Androxgh0st employs sophisticated tactics such as code injection and file appending to maintain persistent access to compromised systems. It targets WordPress installations using brute-force attacks and credential stuffing to gain administrative access, and frequently exploits devices with default, weak or easily guessable passwords.
Although definitive attribution is complex, the research suggests links to Chinese CTF communities due to targeting of Chinese-specific technologies and software. This includes the use of the “PWN_IT” string in injected payloads and command infrastructure, using Mandarin in phishing baits and source code, and potential connections to Chinese Kanxue-hosted CTF events. Successful exploitation can lead to data breaches, theft, system disruption, ransomware attacks, botnet amplification, and espionage and surveillance activities.
Screenshot shoes countries where devices have been most impacted for and the Chinese connection detailed by researchers in their blog (Via CloudSec)
“CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access,” researchers noted.
- Legion: Credential Harvesting Malware Sold on Telegram
- Malware in Fake Business Proposals Hits YouTube Creators
- Cisco Urges Immediate Patch for Decade-Old WebVPN Flaw
- Black Basta Uses MS Teams, Email Bombing to Spread Malware
- **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw
**
Related news
The vulnerability was first identified in 2014.
Cisco encourages users to update to an unaffected version of its Adaptive Security Appliance (ASA) software since there are no workarounds for the 2014 vulnerability.
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of…
A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The origins of the backdoor are
Gentoo Linux Security Advisory 202408-32 - Multiple vulnerabilities have been discovered in PHP, the worst of which can lead to a denial of service. Versions greater than or equal to 8.1.29:8.1 are affected.
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It
This Metasploit module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D) character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch), and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches. XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.
PHP versions prior to 8.3.8 suffer from a remote code execution vulnerability.
An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.