A new Distributed Hash Table (DHT) protocol based botnet dubbed Mozi attacks routers with weak passwords and known exploits. The botnet appears to be active at least from September 03, 2019.
DHT is a decentralized distributed that provides lookup service similar to key pair stored in DHT and retrieves a value based on the associated key. The protocol is mainly used in torrent clients and other peer-to-peer file-sharing platforms.
Mozi Botnet uses DHT protocol to quickly establish a network and to hide the payload with a vast amount of regular DHT traffic.
Security researchers at 360 Netlab discovered a suspicious file that reuses part of the Gafgyt malware code, further analysis reveals that “P2P botnet implemented based on the DHT protocol, researchers called it as Mozi based on its propagation sample.”
The botnet relies on the custom P2P network, uses ECDSA384 and the xor algorithm to ensure integrity and security. The botnet can perform the following functions
The botnet starts infection using any random local port to start a local HTTP service to provide malware samples for download or to retrieve the samples from the address present in the config file. It uses weak passwords or uses known to compromise the targeted device.
Following are the vulnerabilities Exploited
| VULNERABILITY | AFFECTED DEVICE |
|---|---|
| Eir D1000 Wireless Router RCI | Eir D1000 Router |
| Vacron NVR RCE | Vacron NVR devices |
| CVE-2014-8361 | Devices using the Realtek SDK |
| Netgear cig-bin Command Injection | Netgear R7000 and R6400 |
| Netgear setup.cgi unauthenticated RCE | DGN1000 Netgear routers |
| JAWS Webserver unauthenticated shell command execution | MVPower DVR |
| CVE-2017-17215 | Huawei Router HG532 |
| HNAP SoapAction-Header Command Execution | D-Link Devices |
| CVE-2018-10561, CVE-2018-10562 | GPON Routers |
| UPnP SOAP TelnetD Command Execution | D-Link Devices |
| CCTV/DVR Remote Code Execution | CCTV DVR |
Once it infected the target device, it joins the device Mozi P2P network and the device becomes like the new Mozi Bot node and starts infecting other devices.
Based on the data collected by 360 Netlab honeypot devices, the campaign is ongoing and the infection has been increasing.
Users are recommended to patch the vulnerabilities and to set up a strong password to avoid infection. Technical details can be found in the 360 Netlab blog post.
For more information on D-Link, Firmware Patches refer here.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…
View Comments
D-Link SIRT :: For Accurate and Up-to-Date information please go to: https://bit.ly/2QbLx4h
Thanks for the update, we have added with the article.