Security researchers say they have observed what they believe is a takedown of the notorious Mozi botnet that infiltrated more than a million Internet of Things devices worldwide.
In research shared with TechCrunch ahead of publication on Tuesday, researchers at cybersecurity company ESET say they witnessed the “sudden demise” of Mozi during an investigation into the botnet.
Mozi is a peer-to-peer Internet of Things botnet that exploits weak telnet passwords and known exploits to hijack home routers and digital video recorders. The botnet, first discovered in 2019 by 360 Netlab, uses masses of these hijacked devices to launch DDoS attacks, payload execution, and data exfiltration. Mozi has infected more than 1.5 million devices since 2019, with the majority — at least 830,000 devices — originating from China.
Microsoft warned in August 2021 that Mozi had evolved to achieve persistence on network gateways manufactured by Netgear, Huawei and ZTE by adapting its persistence mechanisms. That same month, 360 Netlab announced that it had assisted in a Chinese law enforcement operation to arrest the authors of Mozi.
ESET, which launched an investigation into Mozi a month prior to these arrests, said it observed a dramatic drop in Mozi’s activity in August this year.
Ivan Bešina, a senior malware researcher at ESET, tells TechCrunch that the company was monitoring approximately 1,200 unique devices daily worldwide before this. “We saw 200,000 unique devices in the first half of this year and 40,000 unique devices in July 2023,” said Bešina. “After the drop, our monitoring tool was only able to probe about 100 unique devices daily.”
This drop was observed first in India, and followed by China — which combined account for 90% of all infected devices worldwide — Bešina tells TechCrunch, adding that Russia is the third-most infected country, followed by Thailand and South Korea.
The slump in activity was caused by an update to Mozi bots — devices infected by Mozi malware — that stripped them of their functionality, according to ESET, which said it was able to identify and analyze the kill switch that caused Mozi’s demise. This kill switch stopped and replaced the Mozi malware, disabled some system services, executed certain router and device configuration commands and disabled access to various ports.
ESET says its analysis of the kill switch, which showed a strong connection between the botnet’s original source code and recently used binaries, indicates a “deliberate and calculated takedown.” The researchers say that this suggests the takedown was likely carried out by the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the botnet operators.
“The biggest piece of evidence is that this kill switch update was signed with the correct private key. Without this, the infected devices would not accept and apply this update,” Bešina told TechCrunch. “As far as we know only the original Mozi operators had access to this private signing key. The only other party that could reasonably acquire this private signing key is the Chinese law enforcement agency that caught the Mozi operators in July 2021.”
Bešina added that ESET’s analysis of the kill switch updates showed that it must have been compiled from the same base source code. “The new kill switch update is just a ‘stripped down’ version of the original Mozi,” said Bešina.
The apparent takedown of Mozi comes weeks after the FBI took down and dismantled the notorious Qakbot botnet, a banking trojan that became notorious for providing an initial foothold on a victim’s network for other hackers to buy access and deliver their own malware.