Mozi IoT Botnet

Original Issue Date:-November 12, 2020
Virus Type:-IoT Botnet
Severity:-Medium

It has been reported that a new malware named Mozi is affecting IoT devices globally. Affected IoT devices are being assembled into an IoT botnet which could be employed by botnet owner for launching distributed denial-of-service (DDoS) attacks, data exfiltration and payload execution.

According to the reports, Mozi malware is comprised of source code from Gafgyt, Mirai, and IoT Reaper; malware families which are targeting IoT devices. Mozi could compromise embedded Linux device with an exposed telnet. It mainly targets home routers and DVRs which are either unpatched, loosely configured or have weak/default telnet credentials. The infected devices form a peer-to-peer (P2P) botnet and uses a distributed hash table (DHT) to communicate with other infected host systems.

The overall network structure is shown in the following figure:

Figure:1 Mozi Network Structure (Source: 360 NetLab)

The infection process comprises the follows:

  • Current Bot node randomly uses a local port to start the http service to provide sample downloads or receives the sample download address in the Config file issued by the Botnet owner/Master.
  • Current Bot node logs in to the target device (which has weak password) and writes the downloader file in echo mode. Later execute it and downloads the sample file from the sample download address provided by the current Bot node. Another way for infecting is by exploiting vulnerability at target, and then obtain a sample file from the sample download address provided by the current Bot node.
  • Run the Mozi Bot sample on the infected target device sample file name Mozi.m or Mozi.a join the Mozi P2P network to become the new Mozi Bot node and continue to infect other new devices.

The vulnerabilities exploited by Mozi Botnet are shown as:

VULNERABILITY AFFECTED DEVICES
Eir D1000 Wireless Router RCIEir D1000 Router
Vacron NVR RCEVacron NVR devices
CVE-2014-8361Devices using the Realtek SDK
Netgear cig-bin Command InjectionNetgear R7000 and R6400
Netgear setup.cgi unauthenticated RCEDGN1000 Netgear routers
JAWS Webserver unauthenticated shell command executionMVPower DVR
CVE-2017-17215Huawei Router HG532
HNAP SoapAction-Header Command ExecutionD-Link Devices
CVE-2018-10561, CVE-2018-10562GPON Routers
UPnP SOAP TelnetD Command ExecutionD-Link Devices
CCTV/DVR Remote Code ExecutionCCTV DVR

IOC (Sample MD5):

  • eda730498b3d0a97066807a2d98909f3
  • 849b165f28ae8b1cebe0c7430f44aff3

IOC (File Hash):

  • File Name, File Hash
  • mozi.m, 4dde761681684d7edad4e5e1ffdb940b
  • 5738f1bc69e78d234dd04e2fbfcfb4b86403fc9117b133cf1bb7cda67e7aef0a, 86d42d968d3d12c36722e16c78e49ffb
  • mozi.a, 9a111588a7db15b796421bd13a949cd4
  • 83441d77abb6cf328e77e372dc17c607fb9c4a261722ae80d83708ae3865053d, dd4b6f3216709e193ed9f06c37bcc3890
  • Countermeasures and Best practices for prevention:

    Users and administrators are advised to take the following preventive measures to protect their devices:

    • Users are advised to update their devices with patches as & when released by respective OEM of devices
    • If devices found infected, it is recommended to reset device firmware or restore it from trusted backup.
    • Monitor or block UDP traffic from the device to Bit Torrent DHT bootstrap nodes
    • Block outgoing TCP traffic with destination ports 22, 23, 2323, 80, 81, 5555, 7574, 8080, 8443, 37215, 49152, and 52869, if not in use.

    References: