Wednesday, November 8, 2023
HomeCyber SecurityWho killed Mozi? Lastly placing the IoT zombie botnet in its grave

Who killed Mozi? Lastly placing the IoT zombie botnet in its grave


ESET Analysis

How ESET Analysis discovered a kill swap that had been used to take down probably the most prolific botnets on the market

In August 2023, the infamous Mozi botnet, notorious for exploiting vulnerabilities in tons of of 1000’s of IoT units annually, skilled a sudden and unanticipated nosedive in exercise. First noticed in India on August 8th, 2023 and per week later in China on August 16th, this mysterious disappearance stripped Mozi bots of most of their performance.

Figure 1 Sudden drop in Mozi activity globally (top), in India (middle), and in China (bottom)
Determine 1. Sudden drop in Mozi exercise globally (high), in India (center), and in China (backside)

Our investigation into this occasion led us to the invention of a kill swap on September 27th, 2023. We noticed the management payload (configuration file) inside a person datagram protocol (UDP) message that was lacking the everyday encapsulation of BitTorrent’s distributed sloppy hash desk (BT-DHT) protocol. The particular person behind the takedown despatched the management payload eight instances, every time instructing the bot to obtain and set up an replace of itself by way of HTTP.

The kill swap demonstrated a number of functionalities, together with:

  • killing the dad or mum course of, i.e., the unique Mozi malware,
  • disabling some system providers comparable to sshd and dropbear,
  • changing the unique Mozi file with itself,
  • executing some router/system configuration instructions,
  • disabling entry to varied ports (iptables -j DROP), and
  • establishing the identical foothold because the changed unique Mozi file

We recognized two variations of the management payload, with the most recent one functioning as an envelope containing the primary one with minor modifications, comparable to including a perform to ping a distant server, most likely meant for statistical functions.

Regardless of the drastic discount in performance, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown. Our evaluation of the kill swap exhibits a powerful connection between the botnet’s unique supply code and lately used binaries, and in addition using the right non-public keys to signal the management payload (see Determine 2).

Figure 2 Code snippets of the original Mozi sample (left) vs kill switch sample seen in 2023 (right)
Determine 2. Code snippets of the unique Mozi pattern (left) vs kill swap pattern seen in 2023 (proper)
Figure 3 Control flow diagram
Determine 3. Management circulation diagram of the unique Mozi pattern (left) vs kill swap pattern seen in 2023 (proper)

This leads us to the speculation suggesting two potential originators of this takedown: the Mozi botnet creators, or Chinese language regulation enforcement forcing the cooperation of the creators. The sequential concentrating on of bots in India after which in China means that the takedown was carried out intentionally, with one nation focused first and the opposite per week later.

Figure 4 Mozi timeline
Determine 4. Mozi timeline

The demise of probably the most prolific IoT botnets is a captivating case of cyberforensics, offering us with intriguing technical info on how such botnets within the wild are created, operated, and dismantled. We’re persevering with to analyze this case and can publish an in depth evaluation within the coming months. However for now, the query stays: Who killed Mozi?

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis provides non-public APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

Information

SHA-1

Filename

Detection

Description

758BA1AB22DD37F0F9D6FD09419BFEF44F810345

mozi.m

Linux/Mozi.A

Unique Mozi bot.

9DEF707F156DD4B0147FF3F5D1065AA7D9F058AA

ud.7

Linux/Mozi.C

Mozi bot kill swap.

Community

IP

Area

Internet hosting supplier

First seen

Particulars

157.119.75[.]16

N/A

AS135373 EFLYPRO-AS-AP EFLY NETWORK LIMITED

2023-09-20

Kill swap internet hosting server

MITRE ATT&CK methods

This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.

Tactic

ID

Identify

Description

Useful resource Growth

T1583.003

Purchase Infrastructure: Digital Personal Server

The Mozi kill swap operators rented a server at eflycloud.com to host the replace recordsdata.

The Mozi kill swap operators rented a number of servers that ship payloads on BT-DHT networks.

Preliminary Entry

T1190

Exploit Public-Dealing with Software

The Mozi kill swap operators despatched an replace command to Mozi purchasers on a BT-DHT community.

Persistence

T1037.004

Boot or Logon Initialization Scripts: RC Scripts

The kill swap creates a number of scripts, comparable to /and so forth/rc.d/rc.native, to determine persistence.

Exfiltration

T1048.003

Exfiltration Over Various Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

The kill swap sends an ICMP ping to the operator maybe for the aim of monitoring.

Influence

T1489

Service Cease

The kill swap stops the SSH service and blocks entry to it with iptables.



Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments