The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots.
“First, the drop manifested in India on August 8,” ESET said in an analysis published this week. “A week later, on August 16, the same thing happened in China. While the mysterious control payload – aka kill switch – stripped Mozi bots of most functionality, they maintained persistence.”
Mozi is an Internet of Things (IoT) botnet that emerged from the source code of several known malware families, such as Gafgyt, Mirai, and IoT Reaper. First spotted in 2019, it’s known to exploit weak and default remote access passwords as well as unpatched security vulnerabilities for initial access.
In September 2021, researchers from cybersecurity firm Netlab disclosed the arrest of the botnet operators by Chinese authorities.
But the precipitous decline in Mozi activity – from around 13,300 hosts on August 7 to 3,500 on August 10 – is said to be the result of an unknown actor transmitting a command instructing the bots to download and install an update designed to neutralize the malware.
Specifically, the kill switch demonstrated capabilities to terminate the malware’s process, disable system services such as SSHD and Dropbear, and ultimately replace Mozi with itself.
“Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown,” security researchers Ivan Bešina, Michal Škuta, and Miloš Čermák said.
A second variant of the control payload came fitted with minor changes, including a feature to ping a remote server, likely for statistical purposes. What’s more, the kill switch exhibits a strong overlap with the botnet’s original source code and is signed with the correct private key previously used by the original Mozi operators.
“There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors,” Bešina said.
“The sequential targeting of India and then China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later.”