US University Targeted by Androxgh0st Botnet for C2 Logger Hosting and Exploitation

A recent investigation by CloudSEK has revealed that the Androxgh0st botnet, which has been active since at least March 2023, has significantly expanded its capabilities and attack vectors.

The botnet is now leveraging a wide array of Initial Access Vectors (IAVs) to target misconfigured and vulnerable servers across academic institutions and public domains.

Notably, a subdomain of the University of California, San Diego specifically, the “USArhythms” portal, which relates to the USA Basketball Men’s U19 National Team, was found hosting command-and-control (C2) logger panels for the botnet.

This marks a concerning escalation, as trusted educational domains are now being used as infrastructure for cybercriminal activity.

Androxgh0st’s operators have weaponized over 20 vulnerabilities, according to CloudSEK’s TRIAD team.

These vulnerabilities affect widely used platforms and devices, including Apache Shiro, the Spring Framework, WordPress, and Lantronix IoT devices.

The exploitation techniques range from JNDI injection and remote code execution (RCE) to Unix command injection and the theft of sensitive data.

The botnet’s arsenal now includes at least four distinct webshells, which are used for persistent access and further payload deployment.

Technical Exploitation and Payloads

The botnet’s exploitation techniques are both sophisticated and varied. For example, in Apache Shiro and FasterXML Jackson-databind, attackers exploit JNDI injection vulnerabilities by sending specially crafted requests that point to malicious RMI servers, leading to remote code execution.

Unix command injection is executed by appending commands like ;cat /etc/passwd to legitimate queries, enabling attackers to steal sensitive user information.

The WordPress “Popup Maker” plugin is targeted via CVE-2019-17574, allowing attackers to trigger functions that disclose system information.

Lantronix devices are exploited through command injection in the WLANScanSSID function, while Apache Struts is attacked using complex OGNL payloads designed to manipulate the Java runtime environment.

The Spring Framework is targeted through the critical Spring4Shell vulnerability (CVE-2022-22965), where attackers manipulate class loader properties to load malicious configuration files, resulting in full server compromise.

In addition to these exploits, the botnet deploys a range of webshells for persistent access. These include “abuok.php” (using hex2bin and eval for obfuscation), “myabu.php” (using ROT13 obfuscation), “scwj.php” (a file upload shell), and “baocun.php” (a code dropper that writes POST input to a new script).

Attackers also deploy cryptomining software on compromised systems, as evidenced by JSON-RPC requests to mining pools.

Mitigation and Detection Strategies

The impact of these attacks includes unauthorized access to critical infrastructure, data breaches, cryptomining, and potential legal and reputational damage.

CloudSEK recommends patching all affected systems, restricting outbound RMI, LDAP, and JNDI access, and hardening CMS plugin.

Organizations should also monitor for unexpected PHP files, suspicious POST parameters, and beaconing to domains like .oast.me, .oast.today, and .oast.fun.

CloudSEK has provided YARA rules to detect the botnet’s webshells, focusing on signatures like eval(hex2bin(...)), str_rot13("riny"), and file upload functionality.

Regular audits of server logs and file systems are crucial for identifying and mitigating these threats. The Androxgh0st botnet’s rapid evolution underscores the need for vigilance and proactive security measures in the face of increasingly sophisticated cyber threats.