Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
- Androxgh0st’s integration with Mozi amplifies global risks
- IoT vulnerabilities are the new battleground for cyberattacks
- Proactive monitoring is essential to combat emerging botnet threats
Researchers have recently identified a major evolution in the Androxgh0st botnet, which has become more dangerous by integrating the capabilities of the Mozi botnet.
What started as a web server attack in early 2024 has now expanded, allowing Androxgh0st to exploit vulnerabilities in IoT devices, The CloudSEK Threat Research team he said.
Their latest report states that the botnet is now equipped with advanced Mozi techniques to infect and spread across a wide range of networked devices.
The rebirth of Mozi: A unified botnet infrastructure
Mozi, previously known to infect IoT devices as Netgear and D-Link routers, it was believed to be inactive after a killswitch activation in 2023.
However, CloudSEK revealed that Androxgh0st has integrated Mozi’s propagation capabilities, significantly amplifying its potential to target IoT devices.
By deploying Mozi payloads, Androxgh0st now has a unified botnet infrastructure that leverages specialized tactics to infiltrate IoT networks. This fusion allows the botnet to spread more efficiently through vulnerable devices, including routers and other related technologies, making it a more formidable force.
Beyond its integration with Mozi, Androxgh0st has expanded its range of targeted vulnerabilities by exploiting weaknesses in critical systems. CloudSEK’s analysis shows that Androxgh0st is now actively attacking major technologies, including Cisco ASA, Atlassian JIRA, and several PHP frameworks.
In Cisco ASA systems, the botnet exploits cross-site scripting (XSS) vulnerabilities, injecting malicious scripts through unspecified parameters. It also targets Atlassian JIRA with a path traversal vulnerability (CVE-2021-26086), which allows attackers to gain unauthorized access to sensitive files. In PHP frameworks, Androxgh0st exploits older vulnerabilities such as those in Laravel (CVE-2018-15133) and PHPUnit (CVE-2017-9841), facilitating backdoor access to compromised systems.
Androxgh0st’s threat landscape is not limited to older vulnerabilities. It is also capable of exploiting recently discovered vulnerabilities, such as CVE-2023-1389 in the TP-Link Archer AX21 firmware, which allows the execution of unauthenticated commands, and CVE-2024-36401 in GeoServer, a vulnerability that can lead to remote code execution. .
The botnet now also uses brute force credential stuffing, command injection and file inclusion techniques to compromise systems. Leveraging Mozi’s IoT-focused tactics, it significantly expanded its geographic impact, spreading its infections across regions in Asia, Europe, and beyond.
CloudSEK recommends that organizations strengthen their security posture to mitigate potential attacks. While immediate patching is essential, proactive monitoring of network traffic is also important. By tracing suspicious outbound connections and detecting anomalous login attempts, particularly from IoT devices, organizations can uncover early signs of an Androxgh0st-Mozi collaboration.
