ESET Research uncovered a kill switch that took Mozi, a prolific IoT botnet, out of operation. The payload, delivered via UDP and signed with private keys, disabled services, killed the original malware, and staged updates. #Mozi #IoTBotnet
Keypoints
- The Mozi botnetβs activity plummeted in August 2023, first observed in India on Aug 8 and then in China on Aug 16.
- A kill switch was discovered on September 27, 2023, inside a UDP payload that omitted BT-DHT encapsulation and instructed bots to download updates via HTTP.
- The kill switch demonstrated multiple functions, including killing the parent Mozi process, disabling services like sshd and dropbear, replacing the Mozi file, executing router/device commands, blocking ports with iptables, and re-establishing the same foothold.
- Two versions of the control payload were identified; the latest acts as an envelope containing the first with minor additions such as a remote ping for statistics.
- Despite reduced functionality, Mozi bots retained persistence, suggesting a deliberate takedown, with evidence of strong ties to original source code and use of private keys to sign the payload.
- There are two potential originators for the takedown: the Mozi creators or Chinese law enforcement, with a sequence targeting India first and China a week later.
MITRE Techniques
- [T1583.003] Acquire Infrastructure: Virtual Private Server β The Mozi kill switch operators rented a server at eflycloud.com to host the update files. βThe Mozi kill switch operators rented multiple servers that send payloads on BT-DHT networks.β
- [T1190] Initial Access: Exploit Public-Facing Application β The Mozi kill switch operators sent an update command to Mozi clients on a BT-DHT network.
- [T1037.004] Boot or Logon Initialization Scripts: RC Scripts β The kill switch creates multiple scripts, such as /etc/rc.d/rc.local, to establish persistence.
- [T1048.003] Exfiltration: Exfiltration Over Unencrypted Non-C2 Protocol β The kill switch sends an ICMP ping to the operator perhaps for the purpose of monitoring.
- [T1489] Impact: Service Stop β The kill switch stops the SSH service and blocks access to it with iptables.
Indicators of Compromise
- [File] 758BA1AB22DD37F0F9D6FD09419BFEF44F810345 β mozi.m β Linux/Mozi.A; Original Mozi bot
- [File] 9DEF707F156DD4B0147FF3F5D1065AA7D9F058AA β ud.7 β Linux/Mozi.C; Mozi bot kill switch
- [Network] IP β 157.119.75[.]16 (Kill switch hosting server) β AS135373 EFLYPRO-AS-AP EFLY NETWORK LIMITED, first seen 2023-09-20