Saturday, July 13, 2024
EHA

Mozi IoT Botnet Uses Mirai Variants To Target Network Gateways


Microsoft Security Threat Intelligence Center has recently found that the Mozi P2P botnet is continuously attacking IoT devices.

It has installed new functions that help the threat actors to remain resolute in network gateways that have been built by Netgear, Huawei, and ZTE.

Azure Defender Section 52 Microsoft Security Threat Intelligence Center reported that gateways are a “tidbit” for the threat actors because they are “ideal for primary access to corporate networks.

This image has an empty alt attribute; its file name is W9TwCJRxPgErG2GXL5kqhnBZmXc1BR7Ox2JX_U8eXFuM85zKBIoyz1beD1vERtALKf8ihF8_kGiq6tipzGPEqpt3QmBP_jvRwonl2974PIAd-_2B9Xf6rs-p1Nn2j84mL-U3b6Zo

Privileged persistence

After detecting this attack, the experts have conducted a specific investigation to know about the occurrence of the /overlay folder, and not only this they will also check that if the malware does not have write grants to the folder /etc. 

However, if it grants permission, then, in that case, it will try to exploit CVE-2015-1328. In case of successful exploitation of the vulnerability, it will grant the malware access to the folders that are mentioned below:-

  • /etc/rc.d
  • /etc/init.d

However, in this type of case, some actions are taken, and here we have mentioned them below:-

  • It puts the script file named S95Baby.sh in the folders.
  • The script operates the files /usr/networks or /user/networktmp. 
  • Lastly, it adds up the script to /etc/rcS.d and /etc/rc.local in case it requires privileges.

ZTE devices

In the case of the ZTE device, the analysts have again conducted a special investigation to check for the existence of the /usr/local/ct folder. Here they claimed that this folder act as an indicator of the device that is being a ZTE modem/router device.

However, in this type of case, some actions are taken, that we have mentioned below:-

  • It draws its other instance (/usr/networks) to /usr/local/ct/ctadmin0; as it gives persistency for the malware.
  • It eliminates the file /home/httpd/web_shell_cmd.gch. Such a file can be applied to obtain access via exploitation of the vulnerability CVE-2014-2321.
  • It performs the following commands, that disable Tr-069 and its capacity to connect to an auto-configuration server (ACS). 

Huawei Devices

In the case of the Huawei device, the execution of the commands generally modifies the password as well as disables the management server for Huawei modem/router devices. 

Not only this but it also stops many others from obtaining access to the device via the management server. Apart from this, the experts have also stated that to implement an additional level of resolution it also produces the following files in case of needs and supplements an instruction to persevere all its required copy from /usr/networks.

TCP Ports Blocked by Malware

Here’s the list of TCP ports that are blocked by the malware:-

  • 23—Telnet
  • 2323—Telnet alternate port
  • 7547—Tr-069 port
  • 35000—Tr-069 port on Netgear devices
  • 50023—Management port on Huawei devices
  • 58000—Unknown usage

Configuration Commands

The experts have listed all the commands, and here we have mentioned them below:-

  • [ss] – Bot role
  • [ssx] – enable/disable tag [ss]
  • [cpu] – CPU architecture
  • [cpux] – enable/disable tag [cpu]
  • [nd] – new DHT node
  • [hp] – DHT node hash prefix
  • [atk] – DDoS attack type
  • [ver] – Value in V section in DHT protocol
  • [sv] – Update config
  • [ud] – Update bot
  • [dr] – Download and execute payload from the specified URL
  • [rn] – Execute the specified command
  • [dip] – ip:port to download Mozi bot
  • [idp] – report bot
  • [count] – URL that used to report bot

DNS Spoofing & HTTP Session Hijacking

After a specific investigation, the security researchers came to know that the Mozi receives a list of DNS names, later they also noted that all of them were spoofed; Not only this but every DNS request have a spoofed IP. 

While in the case of the HTTP session every HTTP request does not get processed, and in such circumstances, there are several requirements that are needed to get qualified for hijacking.

Defending Against Mozi Malware

Soon after knowing about this attack, the Microsoft researchers have already updated to defend, detect, and respond to Mozi and not only this but it has also improved all its capabilities to bypass this attack.

The customers can utilize the network device discovery skills that have been found in Microsoft Defender for Endpoint to identify affected internet gateways on their IT networks.

Moreover, the network-layer abilities of Azure Defender for IoT can be applied as it will help the customer to perform continuous asset discovery, vulnerability management.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles