In a recent report, CloudSEK reveals a significant update in the capabilities of the Androxgh0st botnet, now integrated with the Mozi botnet’s powerful IoT-targeting mechanisms. Initially focused on web server vulnerabilities since early 2024, Androxgh0st has transformed, targeting a broader range of IoT devices by embedding Mozi's propagation methods. This integration enhances Androxgh0st’s ability to exploit a variety of vulnerabilities in web applications, IoT devices, and critical infrastructure worldwide.

101 Series| The Infamous Mozi Botnet

Takeaways

• Integration with Mozi: Androxgh0st botnet now incorporates the IoT-focused Mozi botnet, significantly expanding its attack surface and infection capabilities across connected devices.
• Expanding Vulnerability Exploits: The botnet has broadened its attack methods, targeting vulnerabilities in well-known platforms like Cisco ASA, Atlassian JIRA, Apache, TP-Link, and Metabase.
• Widespread Geographic Impact: Androxgh0st targets devices in multiple countries, with Germany, Turkey, and the U.S. seeing the highest infection rates.
• Adoption of Mozi’s IoT Propagation Methods: With Mozi’s integration, Androxgh0st leverages brute-force attacks, credential stuffing, and other IoT-specific strategies to infiltrate various devices, including routers, cameras, and smart home devices.

The integration of Mozi with Androxgh0st exemplifies the rapid evolution of botnets toward more sophisticated attack models, particularly against IoT devices. The adoption of Mozi’s infection techniques enables Androxgh0st to sidestep the limitations of targeting only web applications, now reaching a more extensive array of devices. 

This shift poses a significant threat as IoT devices often lack robust security features, making them vulnerable to exploitation and easier for botnets to infiltrate. The targeting of critical applications and platforms with specific vulnerabilities, combined with a wide-reaching geographic scope, reflects an organised approach likely led by a coordinated cybercriminal group. These advancements highlight the importance for organisations to patch systems promptly and monitor for emerging threats.

Technical Keys

• Mozi Integration: Allows Androxgh0st to infect IoT devices using Mozi’s payload and propagation techniques.
• Vulnerabilities Exploited: Targets include Cisco ASA (XSS vulnerabilities), Atlassian JIRA (CVE-2021-26086), Apache (CVE-2021-41773), and TP-Link (CVE-2023-1389).
• IoT Device Focus: New targets include routers, security cameras, and GPON Home Routers, exploiting common misconfigurations and remote code execution flaws.
• Countries Targeted: Androxgh0st’s infections are concentrated in Germany, Turkey, the U.S., India, and Hong Kong, among others.
• Operational Methods: Uses brute-force credential stuffing, file inclusion, and command injection to expand its control over infected devices.

The Androxgh0st botnet’s integration with Mozi represents a concerning trend in botnet evolution, merging IoT-targeting capabilities with a wide range of exploit techniques. Organisations must prioritise proactive defence strategies, including timely vulnerability patching, network monitoring, and comprehensive log analysis, to protect against this sophisticated threat. Androxgh0st’s impact on critical infrastructure and IoT devices across diverse global locations underscores the urgent need for robust security measures to mitigate this rapidly expanding botnet.

Source and further reading.

Waqas. (2024, November 7). Androxgh0st Botnet integrates Mozi, expands attacks on IoT vulnerabilities. Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News. https://hackread.com/androxgh0st-botnet-integrate-mozi-iot-vulnerabilities/

The Hacker News. (n.d.). AndroxGH0st malware integrates Mozi Botnet to target IoT and cloud services. https://thehackernews.com/2024/11/androxgh0st-malware-integrates-mozi.html

Mascellino, A. . (2024, November 10). Androxgh0st Botnet adopts Mozi payloads, expands IoT reach. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/androxgh0st-botnet-adopts-mozi/