AndroxGh0st Malware Evolves to Target IoT and Critical Infrastructure

AndroxGh0st Malware Evolves to Target IoT and Critical Infrastructure

Threat Group: Unknown
Threat Type: Malware/Botnet
Exploited Vulnerabilities: CVE-2017-9841, CVE-2018-15133, CVE-2021-41773
Malware Used: AndroxGh0st
Threat Score: High (8.5/10) — Due to its focus on critical infrastructure, advanced exploitation techniques, and integration with other botnets.
Last Threat Observation: November 8

Overview

AndroxGh0st is a Python-based malware that has evolved to target multiple internet-facing applications and devices, exploiting vulnerabilities like CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773. Its recent integration with the Mozi botnet has broadened its reach, targeting IoT devices and critical infrastructure and demonstrating the escalating sophistication and adaptability of modern cyber threats.

Key Details

  • Delivery Method: Exploitation of known vulnerabilities in web applications and IoT devices.
  • Target: Web servers, IoT devices, and cloud services.
  • Functions:
    • Credential theft from .env files.
    • Deployment of web shells for persistent access.
    • Abuse of Simple Mail Transfer Protocol (SMTP) services.
    • Creation of new AWS instances for further exploitation.
    • Integration with Mozi botnet for IoT device targeting.
  • Obfuscation: Utilizes Python scripting and integrates with botnet infrastructures to evade detection.

CVE Details

  1. CVE-2017-9841: This vulnerability exists within PHPUnit, a popular PHP testing framework. It allows remote attackers to execute arbitrary PHP code by sending malicious HTTP POST requests to vulnerable servers. Attackers exploit this flaw to execute arbitrary commands, especially on servers running outdated versions of PHP libraries, enabling them to upload or execute malware on the target system.
  2. CVE-2018-15133: Found in the Laravel web application framework, this vulnerability stems from insecure deserialization, which enables attackers to execute remote code. When exploited, this vulnerability allows attackers to remotely execute commands on systems running Laravel-based applications, often gaining unauthorized access to critical backend operations and sensitive data.
  3. CVE-2021-41773: This vulnerability affects the Apache HTTP Server, primarily impacting versions with certain non-standard configurations. It allows attackers to perform path traversal attacks, exposing server directories and executing remote code. Unpatched systems are at risk of allowing unauthorized users to access sensitive directories, posing a significant threat to server security.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b...
  • 6e25ad03103a1a972b78c642bac09060fa79c460011dc57...
  • dd603db3e2c0800d5eaa262b6b8553c68deaa486b545d49...
  • 240fe01d9fcce5aae311e906b8311a1975f8c1431b83618...

IP Addresses (defanged):

  • 45[.]137[.]155[.]55
  • 194[.]145[.]227[.]21
  • 195[.]19[.]192[.]28
  • 45[.]146[.]164[.]110
  • 161[.]35[.]188[.]242
  • 89[.]248[.]173[.]143
  • 143[.]198[.]62[.]76
  • 46[.]101[.]59[.]235
  • 137[.]184[.]69[.]137
  • 117[.]215[.]206[.]216 (Defeng IP)
  • 200[.]124[.]241[.]140 (Defeng IP)

URLs (defanged):

  • http[:]//31[.]210[.]20[.]120/ldr[.]sh
  • http[:]//194[.]145[.]227[.]21/ldr[.]sh
  • http[:]//194[.]145[.]227[.]21/sysrv
  • http[:]//195[.]19[.]192[.]28/kinsing
  • http[:]//195[.]19[.]192[.]28/ap[.]sh

Mitigation and Prevention

  • User Awareness: Educate users about phishing risks and avoid exposing sensitive configuration files.
  • Email Filtering: Implement robust filtering to detect and block malicious attachments and links.
  • Antivirus Protection: Deploy and regularly update antivirus solutions capable of detecting Python-based malware.
  • Two-Factor Authentication (2FA): Enforce 2FA for accessing critical services to add an extra layer of security.
  • Monitor Logs: Regularly review server and application logs for unusual activities, such as unexpected POST requests to sensitive URIs.
  • Regular Updates: Ensure all systems, applications, and devices are updated with the latest security patches to mitigate known vulnerabilities like CVE-2017-9841.

Conclusion

AndroxGh0st represents a significant threat due to its ability to exploit multiple vulnerabilities and its integration with other botnets like Mozi. Organizations should prioritize patch management, monitor for IoCs, and implement comprehensive security measures to defend against this evolving malware.

Sources: