Analysis Summary

The threat actors responsible for the AndroxGh0st malware are now using the Mozi botnet malware in addition to leveraging a wider range of vulnerabilities affecting different internet-facing applications. This botnet exploits unpatched vulnerabilities to compromise vital infrastructures by using remote code execution and credential-stealing techniques to sustain continuous access.

A Python-based cloud attack tool called AndroxGh0st is well-known for focusing on Laravel applications to obtain private information related to services such as Amazon Web Services (AWS), SendGrid, and Twilio. It has been active since at least 2022 and has previously used vulnerabilities in the Laravel Framework (CVE-2018-15133), PHPUnit (CVE-2017-9841), and Apache web server (CVE-2021-41773) to obtain initial access, escalate privileges, and take long-term control of affected systems.

Attackers are using the AndroxGh0st malware to build a botnet for victim identification and exploitation in target networks, according to information released earlier this January by U.S. cybersecurity and intelligence agencies. According to the researchers’ most recent investigation, the malware has strategically broadened its target focus and is now using a variety of vulnerabilities to gain initial access.

The botnet employs a recurring password pattern and cycles through popular administrator accounts. The backend administration panel for WordPress websites, /wp-admin/, is the destination of the target URL. It can access important website controls and settings if the authentication process is successful. Additionally, the attacks have been seen to use unauthenticated command execution vulnerabilities in Dasan GPON home routers and Netgear DGN devices to deliver a payload called "Mozi.m" from various external servers. Mozi is another well-known botnet that has a history of targeting Internet of Things devices and using them to launch distributed denial-of-service (DDoS) attacks.

A sharp drop in Mozi activity wasn't noticed until August 2023, when unknown parties gave the malware a kill switch instruction to stop it, even though Chinese law enforcement officials had detained the malware's creators in September 2021. It is believed that Chinese authorities or the botnet's creators disseminated an upgrade to take down the botnet. By integrating Mozi, AndroxGh0st has increased the likelihood of a potential operational partnership, enabling it to spread to more devices than previously conceivable.

In addition to working together, AndroxGh0st is integrating Mozi's unique features (such as IoT infection and dissemination techniques) into its core business processes. By exploiting Mozi's payloads to achieve objectives that would otherwise need independent infection procedures, AndroxGh0st has grown to take advantage of Mozi's propagation capabilities to infect more IoT devices.

Using the same command infrastructure by both botnets indicates a high degree of operational synergy, which may indicate that the same cybercriminal organization controls both AndroxGh0st and Mozi. Their combined botnet activities would be more successful and efficient because of this shared infrastructure, which would simplify control over a wider variety of devices.

Impact

• Code Execution
• Credential Theft
• Unauthorized Access
• Privilege Escalation
• Denial of Service

Indicators of Compromise

IP

• 165.22.184.66
• 45.55.104.59
• 45.202.35.24
• 154.216.17.31
• 200.124.241.140
• 117.215.206.216

MD5

• 2403a89ab4ffec6d864ac0a7a225e99a
• d9553ca3d837f261f8dfda9950978a0a
• c8340927faaf9dccabb84a849f448e92
• a2021755d4d55c39ada0b4abc0c8bcf5
• db2a59a1fd789d62858dfc4f436822d7
• dd5e7a153bebb8270cf0e7ce53e05d9c
• f75061ac31f8b67ddcd5644f9570e29b
• 45b5c4bff7499603a37d5a665b5b4ca3
• 6f8a79918c78280aec401778564e3345
• e3e6926fdee074adaa48b4627644fccb
• abab0da6685a8eb739027aee4a5c4eaa
• 2938986310675fa79e01af965f4ace4f
• a6609478016c84aa235cd8b3047223eb
• 3cb30d37cdfe949ac1ff3e33705f09e3
• 0564f83ada149b63a8928ff7591389f3
• 3d48dfd97f2b77417410500606b2ced6

SHA-256

• ba2e47d1a07c50b968d3ef3bb14b691ca5ea041fc2c56bc19b4ca3b66532c2fb
• a9389c37ba90f0e84645beda64b359b5892df5519bc173a609e68749be74cdf2
• b16dc2649d290a9e19b75764e87fe39d6022e12e93c207689269b90e2f6b28e0
• 609112eb6eb6445862375fb4392ed73f203b281d6bfa3f7eed9494c016752091
• d458b28ef0a1a582f6a116f38cd38815b83f9f03e1efd3f2a5c00535f52899b3
• 48b7cac1d55d98de9f31ebd83f6ebcd7cf596e62bae8ecf5d37b17e7acafd3ad
• 5612d9cc87bb63c762719ebd30514403b4e6319f1b2efa4b5d6dc51bb4462176
• 0b4536fb2b282d634be632691690bb99eede7cd0306b9409c982d1880d418aee
• b8380e2cd7a2164e8efa0bac32eda97f8b81084e6ba90d44a59d357b9461b6af
• 58015d2873a59d32f68640675d7f68ac681c904c8ca5b79d0a6a360ad9e83826
• 681ae956659f3f0aae032e222d37cd7ebb7f50081dbf2267e3bb2dd4bd03e3a3
• 6adf22b7deaf177b7ef5bee65e50e2c689afb8bcb97fb5f0d920476ad4d07d9b
• aaf033f60ef8d1f4e60029db61888d4fbd3d9f2177352b97862ad5e4482e418e
• 0669b7eaff043cbb9b3e0e590adc14783c4bd4a9fbb054fb810b1d4d9e13363d
• fbe8234329cfc678ca2b51f78b3c6f7886d658b74274bc97c06bffa20cd6b2c7
• 22b1fdcd8a40dacc2fc4907a3cd9e25fcbd8a8466ccfd9de0242a6bde5b8e181

SHA1

• c43f25e402ebe1a45aec524bbb3dc067271e4e63
• e0365fadf16cfd48cc5cc27c2dff8f405769995c
• 359f9915adcd8cf85b8127f8ad16411b5a5d9259
• d52c89eb409de8b96b44a324758ebc126932059a
• b6dc8ac88271532210063b88c81d44cfea4b0167
• 3fefbd92854df0eec9dcd59854f66915d849077f
• b797428f771653a442c0ef92b8d5d884195e4d81
• 1ae32f8c2705c1d993f7d4af1ccac76c616a2845
• 16c8fb41d83103a60e135f83abc55d79ffc84dc3
• 14d90255cf10e8add5c8df25e920c3e5a868b4e9
• efb2dd23b3e2be1856e34b9613c524c79fbf4165
• 59c8667b102c4dbb446cb867b474b51812c3fe34
• 28c2c38584cc597618eb265631415de121cfb69d
• 41c6f6f29eed38e9deadf06cf79d8393e11db2b3
• 2a17d030d876ca855d734d7029a641808c4d31ed
• 46beacc7fa359323750de85d2ff343a08d8f830c

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Upgrade your operating system.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.