Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave
Nov. 12, 2024, 9:28 a.m.
Tags
External References
Description
The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code execution and credential theft techniques. The botnet targets unpatched systems, employing tactics like command injection and brute-force attacks to maintain persistent access. With over 500 infected devices globally, Androxgh0st poses a significant threat to critical infrastructure. The integration of Mozi's capabilities suggests a possible merger of the two botnets, potentially under the same cybercriminal group, enhancing their combined effectiveness and reach.
Date
Published: Nov. 12, 2024, 8:47 a.m.
Created: Nov. 12, 2024, 8:47 a.m.
Modified: Nov. 12, 2024, 9:28 a.m.
Indicators
b8380e2cd7a2164e8efa0bac32eda97f8b81084e6ba90d44a59d357b9461b6af
6adf22b7deaf177b7ef5bee65e50e2c689afb8bcb97fb5f0d920476ad4d07d9b
58015d2873a59d32f68640675d7f68ac681c904c8ca5b79d0a6a360ad9e83826
22b1fdcd8a40dacc2fc4907a3cd9e25fcbd8a8466ccfd9de0242a6bde5b8e181
0b4536fb2b282d634be632691690bb99eede7cd0306b9409c982d1880d418aee
45.202.35.24
154.216.17.31
117.215.206.216
200.124.241.140
api.next.eventsrealm.com
Attack Patterns
Mozi
Androxgh0st
Androxgh0st
T1588
T1587
T1608
T1110
T1583
T1590
T1021
T1016
T1082
T1105
T1496
T1595
T1046
T1040
T1498
T1562
T1190
T1133
T1078
T1059
CVE-2022-1040
CVE-2021-41277
CVE-2018-10562
CVE-2014-2120
CVE-2021-26086
CVE-2024-36401
CVE-2024-4577
CVE-2022-21587
CVE-2021-41773
CVE-2018-15133
CVE-2018-10561
CVE-2023-1389
CVE-2017-9841
Additional Informations
British Indian Ocean Territory
Albania
India
China