The operators of the Mozi IoT botnet have been taken into custody by Chinese law enforcement authorities, nearly two years after the malware emerged on the threat landscape in September 2019.
News of the arrest, which originally happened in June, was disclosed by researchers from Netlab, the network research division of Chinese internet security company Qihoo 360, earlier this Monday, detailing its involvement in the operation.
“Mozi uses a P2P [peer-to-peer] network structure, and one of the ‘advantages’ of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading,” said Netlab, which spotted the botnet for the first time in late 2019.
The development also comes less than two weeks after Microsoft Security Threat Intelligence Center revealed the botnet’s new capabilities that enable it to interfere with the web traffic of infected systems via techniques such as DNS spoofing and HTTP session hijacking with the goal of redirecting users to malicious domains.
Mozi, which evolved from the source code of several known malware families such as Gafgyt, Mirai, and IoT Reaper, amassed more than 15,800 unique command-and-control nodes as of April 2020, up from 323 nodes in December 2019, according to a report from Lumen’s Black Lotus Labs, a number that has since ballooned to 1.5 million, with China and India accounting for the most infections.
Exploiting the use of weak and default remote access passwords as well as through unpatched vulnerabilities, the botnet propagates by infecting routers and digital video recorders to co-opt the devices into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution.
Now according to Netlab, the Mozi authors also packed in additional upgrades, which includes a mining trojan that spreads in a worm-like fashion through weak FTP and SSH passwords, expanding on the botnet’s features by following a plug-in like approach to designing custom tag commands for different functional nodes. “This convenience is one of the reasons for the rapid expansion of the Mozi botnet,” the researchers said.
What’s more, Mozi’s reliance on a BitTorrent-like Distributed Hash Table (DHT) to communicate with other nodes in the botnet instead of a centralized command-and-control server allows it to function unimpeded, making it difficult to remotely activate a kill switch and render the malware ineffective on compromised hosts.
“The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended,” the researchers cautioned. “Since the parts of the network that are already spread across the Internet have the ability to continue to be infected, new devices are infected every day.”