A surge in attacks from operators of the Androxgh0st malware family has been discovered by Veriti Research, with over 600 servers compromised primarily in the U.S., India, and Taiwan.
According to a blog post by Veriti, the adversary behind Androxgh0st had their C2 server exposed, potentially allowing for a counterstrike by revealing the impacted targets. The researchers took action to alert the victims.
Further investigation revealed that Androxgh0st operators are exploiting multiple CVEs, including CVE-2021-3129 and CVE-2024-1709, to deploy a web shell on vulnerable servers, granting remote control capabilities. Evidence also suggests active web shells associated with CVE-2019-2725.
Hackread.com has been monitoring Androxgh0st operations since it was first noticed in December 2022. The malware operator is known for deploying Adhublika ransomware and communicating with an IP address associated with the Adhublika group.
Androxgh0st operators target Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence. Their recent focus appears to be on building botnets to exploit more systems.
Veriti’s research highlights the importance of proactive exposure management and threat intelligence in cybersecurity. It emphasizes the need for organizations to regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioral analysis tools to prevent breaches and protect against similar vulnerabilities.
Recently, the FBI and CISA issued a joint Cybersecurity Advisory warning about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access. Last year, Cado Security Ltd. revealed details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family, designed to exploit email services for abuse.
In related topics, Russian hackers have targeted Ubiquiti routers for botnet creation, and various other botnets such as GoTitan, NoaBot, Qakbot, and OracleIV DDoS have been disrupting systems globally.
