Pierluigi Paganini
November 02, 2023
ESET researchers speculate that the recent shutdown of the Mozi botnet was the result of its operators’ choice, possibly due to pressure from Chinese authorities.
Mozi is an IoT botnet that borrows the code from Mirai variants and the Gafgyt malware, it appeared on the threat landscape in late 2019.
In mid-2021, Qihoo 360 researchers reported that the botnet was composed of more 1.5 million infected systems, most of them in China (830,000).
In July 2021, Netlab experts helped law enforcement to identify and arrest the alleged author of the Mozi bot.
The mozi author has been arrested few weeks ago by LE with information provided by our team. One botnet down more to go. https://t.co/SpM7oSyVxB
— 360 Netlab (@360Netlab) July 28, 2021
Earlier in August 2021, Microsoft researchers reported that the Mozi botnet was improved by implementing new capabilities to target network gateways manufactured by Netgear, Huawei, and ZTE.
Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT have monitored a new evolution of the threat that extended the list of targets. The bot spreads by brute-forcing devices online or by exploiting known unpatched vulnerabilities in the target devices.
In August 2023, ESET researchers observed an unexpected massive nosedive in the activity of this notorious IoT botnet.
In September ESET discovered that a kill switch was distributed to the bots. The experts observed an initial drop in India on August 8 and on August 16, the same drop was observed in China. A kill switch was used to strip Mozi bots of most functionality and was designed to maintain persistence.
First, the drop manifested in India on August 8. A week later, on August 16, the same thing happened in China. While the mysterious control payload – aka kill switch – stripped Mozi bots of most functionality, they maintained persistence. 2/4 pic.twitter.com/h127Nqjb5B
— ESET Research (@ESETresearch) November 1, 2023
To read our brief analysis of the kill switch control payloads, go to https://t.co/yLPV5j8HRA. As always, IoCs are available on our GitHub: https://t.co/LXJhcWGoNH. 4/4
— ESET Research (@ESETresearch) November 1, 2023
The kill switch implements several functionalities, including killing the parent process, disabling some system services (i.e. sshd and dropbear), replacing the original Mozi file with itself, executing some router/device configuration commands, disabling access to various ports (iptables -j DROP), and establishing the same foothold as the replaced original Mozi file.
“Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown.” reads the analysis published by ESET. “Our analysis of the kill switch shows a strong connection between the botnet’s original source code and recently used binaries, and also the use of the correct private keys to sign the control payload”
ESET believes the takedown was performed by the Mozi botnet creators or by Chinese law enforcement that forced the cooperation of the creators.
“The demise of one of the most prolific IoT botnets is a fascinating case of cyberforensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mozi botnet)
