The Mozi botnet, which is known to target IoT devices, has gained new capabilities that enable it to persist in operation and target Netgear, Huawei, and ZTE Network gateways.
Network gateways are ideal targets for threat actors because they provide initial access points to the entire corporate network.
“By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities,” researchers from Microsoft’s Security Threat Intelligence Center and Section 52 at Azure Defender for IoT said.
Mozi is an IoT botnet, used to infect routers and video recording devices and create a network to be used in a distributed denial-of-service attack (DDoS) campaigns. It was first documented by Netlab 360 in December 2019.
The botnet was created from the source code of various known malware families, such as the Gafgyt, the Mirai, and the IoT Reaper.
Mozi is spread through the use of weak and default username and password combinations as well as unpatched IoT vulnerabilities.
It uses a Distributed Hash Table (DHT) to communicate with other infected botnet nodes, much like BitTorrent-like file-sharing P2P clients do. The infected devices perform commands from controller nodes and propagate further.
According to an IBM X-Force analysis, the percentage of traffic attributed to Mozi has increased significantly over the last couple of years and accounted for nearly 90%. The analysis revealed that the increasing popularity of the Internet of Things (IoT) is attracting more and more threat actors.
According to a report released by the security firm Elastic Security, over 20 countries have been targeted by Mozi operators so far. Recently, Microsoft researchers also discovered that the malware “takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation.” These include blocking certain TCP ports and maintaining persistent connections to targeted devices.
The latest version of Mozi allows the malware to hijack HTTP sessions and spoof DNS.
Using strong passwords and updating the devices’ latest firmware are recommended to secure them.
“Doing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position where they can use the newly discovered persistence and other exploit techniques,” Microsoft said.