Netlab 360’s team has discovered a new peer-to-peer (P2P) botnet that is actively expands its network using unpatched routers such as D-Link, Huawei, Netgear etc. Dubbed Mozi, the botnet takes over devices with weak Telnet passwords and adds them into its network with a final goal of performing DDoS attacks.
According to researchers, who said they've been monitoring Mozi’s activities for nearly four months, the botnet reuses part of the Gafgyt code and relies on the Distributed Hash Table (DHT) protocol to build a P2P network. DHT is a protocol based on the standard one commonly used by torrent clients and other P2P platforms to store node contact information. Mozi also uses ECDSA384 and the XOR algorithm to ensure the integrity and security of its components and P2P network.
Mozi infects new devices via weak telnet passwords and exploits, dropping and executing a payload after successfully exploiting vulnerable hosts. Once the malware runs on the now compromised device, the new bot is added to the Mozi P2P network as the new Mozi node and is used to continue to infect other new devices. Netlab 360’s team have found three versions of Mozi botnet, with each of them using slightly different telnet propagation methods.
"After Mozi establishes the p2p network through the DHT protocol, the config file is synchronized, and the corresponding tasks are started according to the instructions in the config file," the team explained
The botnet’s target list includes Eir D1000 routers, Vacron NVR devices, devices using the Realtek SDK, Netgear R7000 and R6400, DGN1000 Netgear routers, MVPower DVR, Huawei Router HG532, D-Link devices, GPON routers, and CCTV DVRs.
While the researchers have not been able to determine the exact scale of the Mozi botnet, they noted that the number of infections has been increasing.
To ensure that the Mozi's network is not sized by other threat actors, the botnet’s operators implemented signature verification on each synchronized config, thus ensuring that only those that passed built-in checks can be accepted and executed by the Mozi nodes.
The main instructions accepted by Mozi nodes include:
Performing DDoS attacks
Collecting Information from Bot
Executing system or custom commands
Executing the payload of specified URL
Updating the sample from the specified URL
More detailed technical information on inner workings of the Mozi P2P botnet, including malware sample hashes and other IoCs is provided in a Netlab 360 blog post.