The Androxgh0st botnet has evolved with a significant increase in the number and variety of Initial Access Vectors (IAVs), exploiting vulnerabilities in popular platforms, IoT devices, and academic institution servers. It uses webshells, command injection, and cryptomining payloads hosted via compromised domains such as the University of California, San Diego’s “USArhythms” subdomain. #Androxgh0st #Spring4Shell #ApacheShiro #Lantronix
Keypoints
- Androxgh0st botnet has weaponized over 20 vulnerabilities since March 2023, with a ~50% rise in Initial Access Vectors compared to earlier reports.
- Command-and-control infrastructure has been identified on compromised servers including the “USArhythms” subdomain of the University of California, San Diego.
- Exploited platforms include Apache Shiro (JNDI Injection), Spring Framework (Spring4Shell), WordPress Popup Maker plugin, Lantronix IoT devices, Apache Struts (OGNL Injection), Fastjson, and FasterXML jackson-databind.
- Attack techniques include remote code execution, Unix command injection, sensitive information disclosure, and IoT device command injection.
- Multiple PHP webshell variants (e.g., abuok.php, myabu.php, scwj.php, baocun.php) are deployed to enable persistent access and arbitrary code execution.
- Evidence of cryptomining using JSON-RPC requests was found on compromised servers, showing additional monetization tactics by attackers.
- Mitigation recommendations include patching vulnerable systems, network restrictions on RMI/JNDI, auditing for suspicious PHP files, and deployment of WAF or RASP solutions.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Androxgh0st exploits vulnerabilities in Apache Shiro, Spring Framework (Spring4Shell), WordPress Popup Maker plugin, Lantronix IoT devices, Apache Struts, Fastjson, and jackson-databind. (“‘org.apache.shiro.jndi.JndiObjectFactory’…leading to Remote Code Execution”)
- [T1059] Command and Scripting Interpreter – Use of Unix command injection with commands like “;cat /etc/passwd” to execute shell commands on compromised servers.
- [T1505] Server Software Component – Deployment of PHP webshells with obfuscated payloads such as eval(hex2bin(…)) and ROT13-based eval to maintain persistent access (“remote code execution via POST request”)
- [T1068] Exploitation for Privilege Escalation – Webshells and command injections facilitating further exploitation and payload deployment on systems.
- [T1041] Exfiltration Over C2 Channel – C2 loggers collect data from botnet agents hosted on compromised domains, including university infrastructure.
- [T1124] System Time Discovery – Use of ping and timeout commands within injected requests to map and maintain control over systems (“pingCount”: “4”)
Indicators of Compromise
- [Domains] Malicious C2 and beaconing domains used by Androxgh0st, e.g., cv032vemsb87jtt2p11g5h8xztka6kruj.oast.me, ch14vjilcoecm8580ft0g6xsmrkewgwro.oast.live, and chi2p4r4bcdfd791dh50c6dpgu4h9rdhc.oast.fun linked to various exploits.
- [Subdomains] Specific subdomains associated with exploit attempts, e.g., for Lantronix WLANScanSSID Command Injection, Spring4Shell, Fastjson RCE, and Apache Shiro JNDI Injection.
- [IP Address] 185.172.128.93 – Associated with Apache Shiro and jackson-databind exploit activity.
- [File Hashes] MD5 hashes of webshells: abuok.php (9e1fb14b747b5bdaf817845007a47752), myabu.php (d6efe92ca18570f940a720e51af77f72), scwj.php (f65749ddf93e890b48b3bde77b1302aa), baocun.php (5a12416857547341493b436299e9b886).
- [CVE Identifiers] CVE-2019-17574 (WordPress Popup Maker), CVE-2021-21881 (Lantronix), CVE-2022-22965 (Spring4Shell), CVE-2020-10650, CVE-2020-9548 (jackson-databind).