[BreachExchange] Chinese Authorities Arrest Hackers Behind Mozi IoT Botnet Attacks

[Sophia Kingsbury]

https://thehackernews.com/2021/09/chinese-authorities-arrest-hackers.html

The operators of the Mozi IoT botnet have been taken into custody by
Chinese law enforcement authorities, nearly two years after the malware
emerged on the threat landscape in September 2019.

News of the arrest, which originally happened in June, was disclosed by
researchers from Netlab, the network research division of Chinese internet
security company Qihoo 360, earlier this Monday, detailing its involvement
in the operation.

"Mozi uses a P2P [peer-to-peer] network structure, and one of the
'advantages' of a P2P network is that it is robust, so even if some of the
nodes go down, the whole network will carry on, and the remaining nodes
will still infect other vulnerable devices, that is why we can still see
Mozi spreading," said Netlab, which spotted the botnet for the first time
in late 2019.

The development also comes less than two weeks after Microsoft Security
Threat Intelligence Center revealed the botnet's new capabilities that
enable it to interfere with the web traffic of infected systems via
techniques such as DNS spoofing and HTTP session hijacking with the goal of
redirecting users to malicious domains.

Mozi, which evolved from the source code of several known malware families
such as Gafgyt, Mirai, and IoT Reaper, amassed more than 15,800 unique
command-and-control nodes as of April 2020, up from 323 nodes in December
2019, according to a report from Lumen's Black Lotus Labs, a number that
has since ballooned to 1.5 million, with China and India accounting for the
most infections.

Exploiting the use of weak and default remote access passwords as well as
through unpatched vulnerabilities, the botnet propagates by infecting
routers and digital video recorders to co-opt the devices into an IoT
botnet, which could be abused for launching distributed denial-of-service
(DDoS) attacks, data exfiltration, and payload execution.

Now according to Netlab, the Mozi authors also packed in additional
upgrades, which includes a mining trojan that spreads in a worm-like
fashion through weak FTP and SSH passwords, expanding on the botnet's
features by following a plug-in like approach to designing custom tag
commands for different functional nodes. "This convenience is one of the
reasons for the rapid expansion of the Mozi botnet," the researchers said.

What's more, Mozi's reliance on a BitTorrent-like Distributed Hash Table
(DHT) to communicate with other nodes in the botnet instead of a
centralized command-and-control server allows it to function unimpeded,
making it difficult to remotely activate a kill switch and render the
malware ineffective on compromised hosts.

"The Mozi botnet samples have stopped updating for quite some time, but
this does not mean that the threat posed by Mozi has ended," the
researchers cautioned. "Since the parts of the network that are already
spread across the Internet have the ability to continue to be infected, new
devices are infected every day."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210902/0e31a33f/attachment.html>