Who is behind the Mozi Botnet kill switch?

Pierluigi Paganini November 02, 2023

Researchers speculate that the recent shutdown of the Mozi botnet was the response of its authors to the pressure from Chinese law enforcement.

ESET researchers speculate that the recent shutdown of the Mozi botnet was the result of its operators’ choice, possibly due to pressure from Chinese authorities.

Mozi is an IoT botnet that borrows the code from Mirai variants and the Gafgyt malware, it appeared on the threat landscape in late 2019.

In mid-2021, Qihoo 360 researchers reported that the botnet was composed of more 1.5 million infected systems, most of them in China (830,000). 

In July 2021, Netlab experts helped law enforcement to identify and arrest the alleged author of the Mozi bot.

Earlier in August 2021, Microsoft researchers reported that the Mozi botnet was improved by implementing new capabilities to target network gateways manufactured by Netgear, Huawei, and ZTE.

Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT have monitored a new evolution of the threat that extended the list of targets. The bot spreads by brute-forcing devices online or by exploiting known unpatched vulnerabilities in the target devices.

In August 2023, ESET researchers observed an unexpected massive nosedive in the activity of this notorious IoT botnet.

Mozi botnet

In September ESET discovered that a kill switch was distributed to the bots. The experts observed an initial drop in India on August 8 and on August 16, the same drop was observed in China. A kill switch was used to strip Mozi bots of most functionality and was designed to maintain persistence.

The kill switch implements several functionalities, including killing the parent process, disabling some system services (i.e. sshd and dropbear), replacing the original Mozi file with itself, executing some router/device configuration commands, disabling access to various ports (iptables -j DROP), and establishing the same foothold as the replaced original Mozi file.

“Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown.” reads the analysis published by ESET. “Our analysis of the kill switch shows a strong connection between the botnet’s original source code and recently used binaries, and also the use of the correct private keys to sign the control payload”

ESET believes the takedown was performed by the Mozi botnet creators or by Chinese law enforcement that forced the cooperation of the creators.

“The demise of one of the most prolific IoT botnets is a fascinating case of cyberforensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mozi botnet)

you might also like

leave a comment