The menace actors behind the AndroxGh0st malware are actually exploiting a broader set of security flaws impacting numerous internet-facing purposes, whereas additionally deploying the Mozi botnet malware.
“This botnet makes use of distant code execution and credential-stealing strategies to take care of persistent entry, leveraging unpatched vulnerabilities to infiltrate vital infrastructures,” CloudSEK stated in a brand new report.
AndroxGh0st is the title given to a Python-based cloud assault device that is identified for its concentrating on of Laravel purposes with the objective of delicate knowledge pertaining to providers like Amazon Internet Companies (AWS), SendGrid, and Twilio.
Lively since no less than 2022, it has beforehand leveraged flaws within the Apache internet server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to achieve preliminary entry, escalate privileges, and set up persistent management over compromised techniques.
Earlier this March, U.S. cybersecurity and intelligence businesses revealed that attackers are deploying the AndroxGh0st malware to create a botnet for “sufferer identification and exploitation in goal networks.”
The most recent evaluation from CloudSEK reveals a strategic growth of the concentrating on focus, with the malware now exploiting an array of vulnerabilities for preliminary entry –
- CVE-2014-2120 (CVSS rating: 4.3) – Cisco ASA WebVPN login web page XSS vulnerability
- CVE-2018-10561 (CVSS rating: 9.8) – Dasan GPON authentication bypass vulnerability
- CVE-2018-10562 (CVSS rating: 9.8) – Dasan GPON command injection vulnerability
- CVE-2021-26086 (CVSS rating: 5.3) – Atlassian Jira path traversal vulnerability
- CVE-2021-41277 (CVSS rating: 7.5) – Metabase GeoJSON map native file inclusion vulnerability
- CVE-2022-1040 (CVSS rating: 9.8) – Sophos Firewall authentication bypass vulnerability
- CVE-2022-21587 (CVSS rating: 9.8) – Oracle E-Enterprise Suite (EBS) Unauthenticated arbitrary file add vulnerability
- CVE-2023-1389 (CVSS rating: 8.8) – TP-Hyperlink Archer AX21 firmware command injection vulnerability
- CVE-2024-4577 (CVSS rating: 9.8) – PHP CGI argument injection vulnerability
- CVE-2024-36401 (CVSS rating: 9.8) – GeoServer distant code execution vulnerability
“The botnet cycles by means of frequent administrative usernames and makes use of a constant password sample,” the corporate stated. “The goal URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress websites. If the authentication is profitable, it positive aspects entry to vital web site controls and settings.”
The assaults have additionally been noticed leveraging unauthenticated command execution flaws in Netgear DGN gadgets and Dasan GPON dwelling routers to drop a payload named “Mozi.m” from completely different exterior servers (“200.124.241[.]140” and “117.215.206[.]216”).
Mozi is one other well-known botnet that has a observe document of placing IoT gadgets to co-opt them right into a malicious community for conducting distributed denial-of-service (DDoS) assaults.
Whereas the malware authors had been arrested by Chinese language legislation enforcement officers in September 2021, a precipitous decline in Mozi exercise wasn’t noticed till August 2023, when unidentified events issued a kill change command to terminate the malware. It is suspected that both the botnet creators or Chinese language authorities distributed an replace to dismantle it.
AndroxGh0st’s integration of Mozi has raised the opportunity of a doable operational alliance, thereby permitting it to propagate to extra gadgets than ever earlier than.
“AndroxGh0st isn’t just collaborating with Mozi however embedding Mozi’s particular functionalities (e.g., IoT an infection and propagation mechanisms) into its normal set of operations,” CloudSEK stated.
“This might imply that AndroxGh0st has expanded to leverage Mozi’s propagation energy to contaminate extra IoT gadgets, utilizing Mozi’s payloads to perform objectives that in any other case would require separate an infection routines.”
“If each botnets are utilizing the identical command infrastructure, it factors to a excessive degree of operational integration, probably implying that each AndroxGh0st and Mozi are below the management of the identical cybercriminal group. This shared infrastructure would streamline management over a broader vary of gadgets, enhancing each the effectiveness and effectivity of their mixed botnet operations.”