Friday, January 31, 2025
Follow us On Linkedin
HomeBotnetNew Mozi P2P Botnet Attacks Netgear, GPON, D-Link and Huawei Routers Using...

New Mozi P2P Botnet Attacks Netgear, GPON, D-Link and Huawei Routers Using Weak Passwords and Some Known Exploits

BotnetNetwork Security

Published on

By Gurubaran
Mozi Botnet

Free Webinar DevSecOps Hacks

SIEM as a Service

Follow Us on Google News

A new Distributed Hash Table (DHT) protocol based botnet dubbed Mozi attacks routers with weak passwords and known exploits. The botnet appears to be active at least from September 03, 2019.

DHT is a decentralized distributed that provides lookup service similar to key pair stored in DHT and retrieves a value based on the associated key. The protocol is mainly used in torrent clients and other peer-to-peer file-sharing platforms.

Mozi Botnet uses DHT protocol to quickly establish a network and to hide the payload with a vast amount of regular DHT traffic.

Mozi Botnet
Mozi Botnet Traffic

Mozi Botnet

Security researchers at 360 Netlab discovered a suspicious file that reuses part of the Gafgyt malware code, further analysis reveals that “P2P botnet implemented based on the DHT protocol, researchers called it as Mozi based on its propagation sample.”

The botnet relies on the custom P2P network, uses ECDSA384 and the xor algorithm to ensure integrity and security. The botnet can perform the following functions

  • DDoS attack
  • Collecting Bot Information
  • Execute the payload of the specified URL
  • Update the sample from the specified URL
  • Execute system or custom commands
Mozi Botnet
Mozi Structure

The botnet starts infection using any random local port to start a local HTTP service to provide malware samples for download or to retrieve the samples from the address present in the config file. It uses weak passwords or uses known to compromise the targeted device.

Following are the vulnerabilities Exploited

VULNERABILITYAFFECTED DEVICE
Eir D1000 Wireless Router RCIEir D1000 Router
Vacron NVR RCEVacron NVR devices
CVE-2014-8361Devices using the Realtek SDK
Netgear cig-bin Command InjectionNetgear R7000 and R6400
Netgear setup.cgi unauthenticated RCEDGN1000 Netgear routers
JAWS Webserver unauthenticated shell command executionMVPower DVR
CVE-2017-17215Huawei Router HG532
HNAP SoapAction-Header Command ExecutionD-Link Devices
CVE-2018-10561, CVE-2018-10562GPON Routers
UPnP SOAP TelnetD Command ExecutionD-Link Devices
CCTV/DVR Remote Code ExecutionCCTV DVR

Once it infected the target device, it joins the device Mozi P2P network and the device becomes like the new Mozi Bot node and starts infecting other devices.

Based on the data collected by 360 Netlab honeypot devices, the campaign is ongoing and the infection has been increasing.

Mozi Botnet
Device Infection

Users are recommended to patch the vulnerabilities and to set up a strong password to avoid infection. Technical details can be found in the 360 Netlab blog post.

For more information on D-Link, Firmware Patches refer here.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

cyber security

Hackers Exploiting DNS Poisoning to Compromise Active Directory Environments

A groundbreaking technique for Kerberos relaying over HTTP, leveraging multicast poisoning, has been recently...
Android

New Android Malware Exploiting Wedding Invitations to Steal Victims WhatsApp Messages

Since mid-2024, cybersecurity researchers have been monitoring a sophisticated Android malware campaign dubbed "Tria...
cyber security

500 Million Proton VPN & Pass Users at Risk Due to Memory Protection Vulnerability

Proton, the globally recognized provider of privacy-focused services such as Proton VPN and Proton...
cyber security

Arcus Media Ransomware Strikes: Files Locked, Backups Erased, and Remote Access Disabled

The cybersecurity landscape faces increasing challenges as Arcus Media ransomware emerges as a highly...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

Register Now

More like this

Botnet

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...
Botnet

New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices

Large-scale DDoS attack commands sent from an IoT botnet's C&C server targeting Japan and...
Botnet

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved