The unexpected decline in malicious activities associated with the Mozi botnet during August 2023 can be attributed to the implementation of a kill switch disseminated to the compromised bots.
According to an analysis published by ESET, the initial decline in Mozi botnet activity was observed in India on August 8, followed by a similar occurrence in China on August 16.
Despite the mysterious control payload, referred to as the kill switch, effectively stripping Mozi bots of a significant portion of their functionality, they continued to maintain their persistence.
What is Mozi?
Mozi, an Internet of Things (IoT) botnet, originated from the source code of several well-known malware families, including Gafgyt, Mirai, and IoT Reaper.
When Did Mozi Start Operation?
Initially detected in 2019, Mozi is notorious for exploiting weak or default remote access passwords and unpatched security vulnerabilities to gain initial access.
In September 2021, cybersecurity firm Netlab researchers disclosed that Chinese authorities had apprehended the botnet operators.
The sharp reduction in Mozi botnet activity, from approximately 13,300 compromised hosts on August 7 to only 3,500 on August 10, appears to be a consequence of an unidentified entity issuing a command instructing the bots to download and install an update designed to neutralize the malware.
Kill Switch: A Strong Blow to Mozi
The kill switch, as demonstrated by the Shadowserver Foundation, displayed the capability to terminate the malware’s processes, disable critical system services like SSHD and Dropbear, and ultimately replace the Mozi botnet with itself.
Security researchers noted that despite the substantially reduced functionality, the Mozi bots persisted, indicating a deliberate and systematic takedown operation.
A second variant of the control payload was introduced with minor alterations, including a feature that enabled it to ping a remote server, likely for statistical purposes. Additionally, the kill switch exhibited a significant overlap with the source code of the botnet and was signed with the correct private key.
What Might Be the Case?
According to the researchers, either the original creator of the Mozi botnet or Chinese law enforcement, possibly with the cooperation or coercion of the original actors involved.
The sequential targeting of India followed by China suggests a deliberate and planned operation, with one country being targeted first and the other a week later.
Image description: Mozi’s timeline
Concluding Insights
The deliberate operation, whether organized by the original botnet creators or Chinese authorities, underscores the need for adaptive security strategies to safeguard against the relentless evolution of IoT-based threats.
Continuous vigilance and advanced threat protection is the key to being safe!
Anas Hasan
November 3, 2023
2 years ago
