Mozi botnet was improved by implementing news capabilities to target network gateways manufactured by Netgear, Huawei, and ZTE says the researchers.
Mozi is an IoT botnet that borrows the code from Mirai variants and the Gafgyt malware. The Mozi botnet was actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords to compromise them.The botnet was mainly involved in DDoS attacks. It implements a custom extended Distributed Hash Table (DHT) protocol that provides a lookup service similar to a hash table.
This kind of implementation makes it simple to add/remove nodes with minimum workaround re- keys and build a P2P network.
Researchers from Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT have monitored a new evolution of the threat that extent the list of targets.The bot spreads by brute-forcing devices online or by exploiting known unpatched vulnerabilities in the target devices.
By infecting routers, they can perform man-in-the-middle (MITM) attacks via HTTP hijacking and DNS spoofing to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities. In the diagram below how the vulnerabilities and newly discovered persistence techniques could be used together.
Network gateways are privileged targets for threat actors because that can compromise them in order to gain initial access to corporate networks. Once infected a router, threat actors have multiple options, such as to perform man-in-the-middle (MITM) attacks via HTTP hijacking and DNS spoofing to compromise endpoints and deploy ransomware.
The capabilities to target Netgear, Huawei, and ZTE gateways allow the bot to increase its resistance to takedown. Experts noticed that the malware also prevent remote access by blocking the following ports used by the above gateways:
- 2323—Telnet alternate port
- 7547—Tr-069 port
- 35000—Tr-069 port on Netgear devices
- 50023—Management port on Huawei devices
- 58000—Unknown usage
Organizations using Netgear, Huawei, and ZTE network devices are recommended to keep their firmware up to date and use strong passwords.