Who killed Mozi? Finally putting the IoT zombie botnet in its grave

In August 2023, the notorious Mozi botnet, infamous for exploiting vulnerabilities in hundreds of thousands of IoT devices each year, experienced a sudden and unanticipated nosedive in activity. First observed in India on August 8^th, 2023 and a week later in China on August 16^th, this mysterious disappearance stripped Mozi bots of most of their functionality.

Figure 1 Sudden drop in Mozi activity globally (top), in India (middle), and in China (bottom) — *Figure 1. Sudden drop in Mozi activity globally (top), in India (middle), and in China (bottom)*

Our investigation into this event led us to the discovery of a kill switch on September 27^th, 2023. We spotted the control payload (configuration file) inside a user datagram protocol (UDP) message that was missing the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. The person behind the takedown sent the control payload eight times, each time instructing the bot to download and install an update of itself via HTTP.

The kill switch demonstrated several functionalities, including:

killing the parent process, i.e., the original Mozi malware,
disabling some system services such as sshd and dropbear,
replacing the original Mozi file with itself,
executing some router/device configuration commands,
disabling access to various ports (iptables -j DROP), and
establishing the same foothold as the replaced original Mozi file

We identified two versions of the control payload, with the latest one functioning as an envelope containing the first one with minor modifications, such as adding a function to ping a remote server, probably meant for statistical purposes.

Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown. Our analysis of the kill switch shows a strong connection between the botnet’s original source code and recently used binaries, and also the use of the correct private keys to sign the control payload (see Figure 2).

Figure 2 Code snippets of the original Mozi sample (left) vs kill switch sample seen in 2023 (right) — *Figure 2. Code snippets of the original Mozi sample (left) vs kill switch sample seen in 2023 (right)*

Figure 3 Control flow diagram — *Figure 3. Control flow diagram of the original Mozi sample (left) vs kill switch sample seen in 2023 (right)*

This leads us to the hypothesis suggesting two potential originators of this takedown: the Mozi botnet creators, or Chinese law enforcement forcing the cooperation of the creators. The sequential targeting of bots in India and then in China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later.

Figure 4 Mozi timeline — *Figure 4. Mozi timeline*

The demise of one of the most prolific IoT botnets is a fascinating case of cyberforensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled. We are continuing to investigate this case and will publish a detailed analysis in the coming months. But for now, the question remains: Who killed Mozi?

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1	Filename	Detection	Description
758BA1AB22DD37F0F9D6FD09419BFEF44F810345	mozi.m	Linux/Mozi.A	Original Mozi bot.
9DEF707F156DD4B0147FF3F5D1065AA7D9F058AA	ud.7	Linux/Mozi.C	Mozi bot kill switch.

Network

IP	Domain	Hosting provider	First seen	Details
157.119.75[.]16	N/A	AS135373 EFLYPRO-AS-AP EFLY NETWORK LIMITED	2023-09-20	Kill switch hosting server

MITRE ATT&CK techniques

This table was built using version 13 of the MITRE ATT&CK framework.

Tactic	ID	Name	Description
Resource Development	T1583.003	Acquire Infrastructure: Virtual Private Server	The Mozi kill switch operators rented a server at eflycloud.com to host the update files. The Mozi kill switch operators rented multiple servers that send payloads on BT-DHT networks.
Initial Access	T1190	Exploit Public-Facing Application	The Mozi kill switch operators sent an update command to Mozi clients on a BT-DHT network.
Persistence	T1037.004	Boot or Logon Initialization Scripts: RC Scripts	The kill switch creates multiple scripts, such as /etc/rc.d/rc.local, to establish persistence.
Exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol	The kill switch sends an ICMP ping to the operator perhaps for the purpose of monitoring.
Impact	T1489	Service Stop	The kill switch stops the SSH service and blocks access to it with iptables.