Mozi IoT Botnet Uses Mirai Variants To Target Network Gateways


Microsoft Security Threat Intelligence Center has recently found that the Mozi P2P botnet is continuously attacking IoT devices.

It has installed new functions that help the threat actors to remain resolute in network gateways that have been built by Netgear, Huawei, and ZTE.

Azure Defender Section 52 Microsoft Security Threat Intelligence Center reported that gateways are a “tidbit” for the threat actors because they are “ideal for primary access to corporate networks.

This image has an empty alt attribute; its file name is W9TwCJRxPgErG2GXL5kqhnBZmXc1BR7Ox2JX_U8eXFuM85zKBIoyz1beD1vERtALKf8ihF8_kGiq6tipzGPEqpt3QmBP_jvRwonl2974PIAd-_2B9Xf6rs-p1Nn2j84mL-U3b6Zo

Privileged persistence

After detecting this attack, the experts have conducted a specific investigation to know about the occurrence of the /overlay folder, and not only this they will also check that if the malware does not have write grants to the folder /etc. 

However, if it grants permission, then, in that case, it will try to exploit CVE-2015-1328. In case of successful exploitation of the vulnerability, it will grant the malware access to the folders that are mentioned below:-

  • /etc/rc.d
  • /etc/init.d

However, in this type of case, some actions are taken, and here we have mentioned them below:-

  • It puts the script file named S95Baby.sh in the folders.
  • The script operates the files /usr/networks or /user/networktmp. 
  • Lastly, it adds up the script to /etc/rcS.d and /etc/rc.local in case it requires privileges.

ZTE devices

In the case of the ZTE device, the analysts have again conducted a special investigation to check for the existence of the /usr/local/ct folder. Here they claimed that this folder act as an indicator of the device that is being a ZTE modem/router device.

However, in this type of case, some actions are taken, that we have mentioned below:-

  • It draws its other instance (/usr/networks) to /usr/local/ct/ctadmin0; as it gives persistency for the malware.
  • It eliminates the file /home/httpd/web_shell_cmd.gch. Such a file can be applied to obtain access via exploitation of the vulnerability CVE-2014-2321.
  • It performs the following commands, that disable Tr-069 and its capacity to connect to an auto-configuration server (ACS). 

Huawei Devices

In the case of the Huawei device, the execution of the commands generally modifies the password as well as disables the management server for Huawei modem/router devices. 

Not only this but it also stops many others from obtaining access to the device via the management server. Apart from this, the experts have also stated that to implement an additional level of resolution it also produces the following files in case of needs and supplements an instruction to persevere all its required copy from /usr/networks.

TCP Ports Blocked by Malware

Here’s the list of TCP ports that are blocked by the malware:-

  • 23—Telnet
  • 2323—Telnet alternate port
  • 7547—Tr-069 port
  • 35000—Tr-069 port on Netgear devices
  • 50023—Management port on Huawei devices
  • 58000—Unknown usage

Configuration Commands

The experts have listed all the commands, and here we have mentioned them below:-

  • [ss] – Bot role
  • [ssx] – enable/disable tag [ss]
  • [cpu] – CPU architecture
  • [cpux] – enable/disable tag [cpu]
  • [nd] – new DHT node
  • [hp] – DHT node hash prefix
  • [atk] – DDoS attack type
  • [ver] – Value in V section in DHT protocol
  • [sv] – Update config
  • [ud] – Update bot
  • [dr] – Download and execute payload from the specified URL
  • [rn] – Execute the specified command
  • [dip] – ip:port to download Mozi bot
  • [idp] – report bot
  • [count] – URL that used to report bot

DNS Spoofing & HTTP Session Hijacking

After a specific investigation, the security researchers came to know that the Mozi receives a list of DNS names, later they also noted that all of them were spoofed; Not only this but every DNS request have a spoofed IP. 

While in the case of the HTTP session every HTTP request does not get processed, and in such circumstances, there are several requirements that are needed to get qualified for hijacking.

Defending Against Mozi Malware

Soon after knowing about this attack, the Microsoft researchers have already updated to defend, detect, and respond to Mozi and not only this but it has also improved all its capabilities to bypass this attack.

The customers can utilize the network device discovery skills that have been found in Microsoft Defender for Endpoint to identify affected internet gateways on their IT networks.

Moreover, the network-layer abilities of Azure Defender for IoT can be applied as it will help the customer to perform continuous asset discovery, vulnerability management.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Leave a Reply