Modified Mozi P2P Botnet implemented new capabilities to target its victim's web traffic via MITM and DNS Spoofing attacks...

Continue reading
A new variant of Mozi, a botnet that targets IoT devices and routers, has evolved and is now capable of interfering with the web traffic of affected systems via methods such as DNS spoofing and HTTP session hijacking.
Initially detected by the researchers at Microsoft, these newly evolved capabilities are part of a renewed Mozi malware version that recently launched attacks against network gateway devices manufactured by Netgear, Huawei, and ZTE.
The Mozi botnet is a P2P (peer-to-peer) type of botnet that utilizes distributed sloppy hash table (DSHT) protocol to propagate through IoT devices to exploit weak telnet passwords. Upon infecting the router and the device, it implements local UDP port 14737 to detect and destroy processes using ports 1536 and 5888. Threat actors have abused the Mirai Botnet to jeopardize several IoT devices since 2019. Recently, a new variant has evolved with multiple new capabilities.
The Mozi botnet possesses two distinct characteristics, such as ECDSA384 (elliptic curve digital signature algorithm 384), to validate its ethics. Upon execution, the botnet checks for a bin file, and if it exists, the sample alters its domain name to sshd.
It can conduct four major attacks: DoS attacks, command execution attacks, gathering bot information, etc. Reports from IBM X-Force suggest that Mozi is responsible for 90% of the detected IoT network traffic from October 2019 through June 2020. The major framework around Mozi Botnet (nearly 84% of the practical framework) is allegedly sourced from China.

Microsoft published a report stating that "Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks." The tech giant warned users through the report mentioning that "By infecting routers, [Mozi] can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities."

Reports suggest that Mozi utilizes code from Mirai variants and the Gafgyt malware. The research team at 360 Netlab detected the Mozi botnet actively targets Netgear, D-Link, and Huawei routers by compromising weak passwords. Initially, the botnet was involved in DoS attacks, but now it has enormously increased its domain of attacks. The bot proliferates in the victim's network by brute-forcing devices or by jeopardizing unpatched vulnerabilities.
Researchers at the Microsoft Security Threat Intelligence Center stated that "While the botnet itself is not new, Microsoft’s IoT security researchers recently discovered that Mozi has evolved to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE."
Network gateways are tempting targets for threat actors as they can compromise to gain initial access to corporate networks. After compromising a router, threat actors can perform MITM attacks through HTTP hijacking and DNS spoofing.
Microsoft alerted all the businesses utilizing Netgear, Huawei, and ZTE network devices to update their firmware, apply necessary security patches, and use strong passwords.