Androxgh0st botnet integrates Mozi payloads to target IoT devices

IoT vulnerabilities inherited from Mozi

One interesting addition to its arsenal is a range of exploits for vulnerabilities in several home and gigabit passive optical network (GPON) routers distributed by ISPs. These include an unauthenticated command injection (CVE-2023-1389) in TP-Link Archer AX21, a remote code execution flaw in OptiLink ONT1GEW GPON, and an unauthenticated command execution issue in Netgear DGN devices, and two vulnerabilities in Dasan GPON home routers, an authentication bypass and a command injection.

Some of these exploits and payloads seem to have been inherited from Mozi, a botnet of Chinese origin, whose creators were supposedly arrested by Chinese authorities in 2021. Following the law enforcement action, an update was distributed to the Mozi botnet clients that disrupted their ability to connect to the internet, therefore crippling the botnet and leaving only a small fraction of nodes active.

“It’s possible that Androxgh0st has fully integrated Mozi’s payload as a module within its own botnet architecture,” the CloudSEK researchers said. “In this case, Androxgh0st is not just collaborating with Mozi but embedding Mozi’s specific functionalities (e.g., IoT infection & propagation mechanisms) into its standard set of operations.”

Leave a Comment