Mozi Botnet Targeting Netgear, Huawei, ZTE GatewaysMicrosoft: Upgraded Malware More Persistent
Microsoft security researchers say the operators of the well-established Mozi IoT botnet have upgraded the malware, enabling it to achieve persistence on network gateways manufactured by Netgear, Huawei and ZTE.
"Targeting Netgear, Huawei, and ZTE gateways, the malware now takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation," the researchers say.
Microsoft did not report if any attacks leveraging the improved Mozi malware have been observed in the wild.
To mitigate risks, Microsoft recommends using strong passwords and keeping devices properly patched. "Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques," the researchers say.
Mozi is a peer-to-peer botnet that uses a BitTorrent-like network to infect connected devices, ranging from network gateways to DVRs. The malware gains access by exploiting weak telnet passwords or unpatched IoT vulnerabilities. Mozi is primarily used to conduct distributed denial-of-service attacks, but it also can be used to support data exfiltration and payload execution.
New Mozi Capabilities
The malware now takes actions to increase its chances of survival when targeting Netgear, Huawei and ZTE gateways by achieving privileged persistence, Microsoft says.
To do this, it specifically checks for the existence of the /overlay folder. If the folder is not found, the malware will try to exploit CVE-2015-1328, the researchers say.
The malware has also been tuned to make a specific check on ZTE and Huawei routers and gateways, Microsoft says.
For ZTE devices, Mozi looks for the existence of the /usr/local/ct folder, as this serves as an indicator of the device being a ZTE modem/router device. It then copies instances of itself into /usr/local/ct/ctadmin0 to provide persistence.
"It deletes the file /home/httpd/web_shell_cmd.gch. This file can be used to gain access through the exploitation of the vulnerability CVE-2014-2321; deleting it prevents future attacks," the researchers say. "It executes the following commands. These disable Tr-069 and its ability to connect to auto-configuration server. Tr-069 is a protocol for remote configuration of network devices; it’s usually utilized by service providers to configure customers’ equipment."
On Huawei devices, Mozi inserts several commands to changes the password and disables the management server for Huawei modem/router devices. Changing the login credentials prevents security teams from regaining access to the device through the management server, the researchers say.
In another new move, the malware shuts down TCP ports 23, 2323, 7547, 35000, 50023 and 5800 to block any attempts at remote access by security teams, which helps the malware maintain persistence, Microsoft says.
Mozi's creators also improved the malware's DNS spoofing capability. Now, each DNS request is answered with the spoofed IP, which the Microsoft researchers say is an efficient technique to redirect traffic to the attackers' infrastructure.
Network gateways are prized by attackers because they are useful as an initial access point to a corporate network. Attackers generally search for a vulnerable device using scanning tools, such as Shodan. Once a vulnerable device is infected, the malware performs reconnaissance on neighboring devices and then moves laterally to compromise higher-value targets - including information systems and critical industrial IT/OT systems.
Having control of a router gives a threat actor a wide selection of attack types from which to choose. These include man-in-the-middle attacks - via HTTP hijacking and DNS spoofing - to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities.
Mozi has been in use since late 2019. IBM's X-Force offered a detailed analysis of the initial variant in September 2020. IBM found Mozi has some code overlap with the Mirai botnet and, for a time, was the most heavily used botnet malware, accounting for 90% of all attacks from October 2019 through June 2020.