Botnets never really go away. They just find new ways to creep back in. A prime example is Mozi, an Internet of Things (IoT) botnet that first appeared in 2019 with origins allegedly tied to China.
It was thought to have been wiped out in August of 2023 by Chinese Law Enforcement, but recent revelations suggest otherwise. Many industry reports point to a connection between the Mozi botnet and a new variant: Androxyh0st.
Apart from its connection with Mozi, CheckPoint recently pointed out the severity of this threat, ranking Androxgh0st as the most prevalent malware variant in November 2024.
This surpasses other notorious malware families like FakeUpdates and AgentTesla and highlights the urgent need to understand the nature and impact of this threat.
Techopedia explores the origins of Androxgh0st, who is at risk, and how to stay safe.
Key Takeaways
- Androxgh0st botnet evolved from the Mozi malware, targeting IoT and web servers.
- It exploits old vulnerabilities and credentials to infiltrate networks globally.
- Key targets include routers, PHP frameworks, and corporate devices.
- Over 600 servers worldwide have been affected, raising global cybersecurity alarms.
- Experts recommend multiple security levels to prevent botnet threats.
What is Androxgh0st Botnet?
Androxgh0st is a hybrid malware built on the remnants of the Mozi botnet. It lives off its predecessor’s capabilities while introducing advanced features to exploit vulnerabilities in IoT devices, web servers, and critical infrastructure systems.
According to Broadcom, the botnet is Python-scripted and targets exposed .ENV files that contain sensitive credentials for applications such as AWS, Microsoft Office 365, and Twilio.
The FBI and CISA brought the botnet to public attention in January 2024 with a cybersecurity advisory. The advisory revealed that the botnet, focused on stealing cloud credentials, primarily relied on exploiting three older, already patched vulnerabilities to gain an initial foothold on targeted systems.
How Androxgh0st Operates
Androxgh0st botnet has been active since January 2024 and has exploited over 20 vulnerabilities in web servers and IoT devices, per a report from CloudSEK Research Team.
CloudSEK further explains that the botnet often targets unpatched systems and uses flaws in PHP frameworks, Laravel’s application keys, and Apache to gain unauthorized access. Once inside, the attackers deploy Mozi-like botnet payloads to expand their reach using shared infrastructure.
Their primary target is IoT devices like Netgear and TP-Link routers, which often lack quality security configurations.
Oren Koren, Co-Founder and CPO at Veriti, an exposure assessment and remediation platform, told Techopedia that he is not surprised that IoT devices are a key target for botnets like Androxgh0st.
“IoT devices are prime targets for botnets like Androxgh0st because they often have limited security capabilities, are rarely patched, and frequently operate with exposed interfaces.”
The botnet, according to CloudSEK researchers, also exploits enterprise-grade vulnerabilities, such as those in Atlassian JIRA, Sophos Firewall version v18.5 MR3, and older Cisco ASA devices, enabling it to compromise larger networks.
The researchers cited a vulnerability in Cisco ASA that allowed the attackers to hijack administrative sessions and execute commands that provided deeper access to sensitive corporate data.
In addition to these techniques, CloudSEK’s findings reveal that Androxgh0st operators also employ phishing techniques and brute-force attacks, especially against WordPress admin panels, to broaden their reach. This makes small businesses, large enterprises, and even individual users potential targets.
The researchers warn that Androxgh0st operators have been observed selling access to compromised systems on dark web forums.
Number of Organizations Attacked
While no specific cyber incident has been attributed to Androxyh0st, a recent Veriti research found over 600 servers were hit globally, with servers in the U.S., India, and Taiwan primarily affected.
The researchers also warned that the group had an extensive reach to various vulnerabilities across numerous organizations, although no organization was mentioned.
Breaking down the exploited vulnerabilities per number of organizations affected, Veriti researchers revealed that the Craft CMS Remote Code Execution (CVE-2023-41892) vulnerability alone has impacted 620 organizations.
Similarly, the PHP Command Injection and Ivanti Endpoint Manager Mobile Authentication Bypass vulnerabilities have affected 69 and 60 organizations, respectively.
This pattern mirrors other recent botnet activities. In September 2024, the Gorilla Botnet issued over 300,000 Distributed Denial of Service (DDoS) attack commands, crippling critical infrastructure across 113 countries and affecting over 40 organizations.
The botnet exploited a wide range of compromised devices, including routers and IoT gadgets, to amplify its attacks, causing disruptions to government systems, healthcare services, and financial institutions.
China was the worst hit as it experienced 20% of the total impact, followed by the U.S. at 19%, Canada at 16%, and Germany at 6%.
Additionally, a U.S.-led operation in June 2024 disrupted a botnet that had infected more than 19 million IP addresses to move billions of dollars in pandemic and unemployment fraud. A 35-year-old Chinese national, YunHe Wang, was arrested on May 24 by the FBI on criminal charges for his involvement in malware deployment
How to Stay Safe: Expert Suggestions
Androxgh0st botnet highlights the evolving threat of malware attacks and the vulnerabilities of critical infrastructure systems, IoT devices, and web servers.
Staying safe from this type of cyber threat can be achieved through basic cyber hygiene, Alex Lanstein, CTO & Head of Threat Intel at StrikeReady, shared with Techopedia.
He advised:
“Avoid exposing your management interface to the internet, turn on automatic patching, and make sure default passwords are disabled.”
Lanstein equally highlighted that the second component of Androxgh0st, which is using compromised devices to attack other services, is primarily an enterprise problem. On this, he called on businesses to “use best practices to restrict access to public-facing assets such as with a WAF or an API gateway.”
In addition to this, Koren of Veriti warns that only through a multi-layered security approach can botnets like Androxgh0st be tamed. Key steps include thorough asset discovery and management to identify exposed IoT devices and web servers.
“Organizations need to prioritize identifying exposed assets and managing them proactively to reduce their attack surface,” Koren advised.
Regular patching and updates are critical, but when patching isn’t feasible, applying compensating controls like network segmentation can help.
Intrusion Prevention Systems (IPS) are also effective, as they can detect Androxgh0st activity by identifying its unique attack signature, though misconfigurations often hinder their effectiveness.
Koren also recommends traffic monitoring to spot unusual patterns, network segmentation to limit damage, and strong access controls like multi-factor authentication to secure internet-facing devices. For immediate action, he suggests reviewing IPS logs for Androxgh0st indicators and enabling protections.
The Bottom Line
Dealing with botnets is usually difficult due to how widely distributed the affected devices are.
As seen in other recent botnet attacks reported earlier, botnet attacks demonstrate increasingly sophisticated tactics, with threat actors specifically targeting IoT devices, cloud infrastructure, and internet-facing systems with known vulnerabilities.
While botnets like Androxgh0st continue to exploit vulnerabilities in IoT devices and web servers, they also remind us not to sleep on good cybersecurity practices.
FAQS
Who is at risk from Androxgh0st?
How does Androxgh0st spread?
How can I protect against Androxgh0st?
References
- November 2024’s Most Wanted Malware: Androxgh0st Leads the Pack, Targeting IoT Devices and Critical Infrastructure – Check Point Blog (Checkpoint)
- Known Indicators of Compromise Associated with Androxgh0st Malware | CISA (CISA)
- Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave | CloudSEK (CloudSEK)
- VERITI – Remediate Risk Safely Across The Enterprise (Veriti)
- Vulnerable Villain: When Hackers Get Hacked – VERITI (Veriti)
- Over 300,000! GorillaBot: The New King of DDoS Attacks – NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. (NSFocusGlobal)
- US-led operation takes down global botnet, and other cybersecurity news to know this month (WeForum)
- First Unified AI-Based Security Command Center – StrikeReady (StrikeReady)