Mysterious Kill Switch Disrupts Mozi IoT Botnet Operations

Kill Switch

The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots.

“First, the drop manifested in India on August 8,” ESET said in an analysis published this week. “A week later, on August 16, the same thing happened in China. While the mysterious control payload – aka kill switch – stripped Mozi bots of most functionality, they maintained persistence.”

Mozi is an Internet of Things (IoT) botnet that emerged from the source code of several known malware families, such as Gafgyt, Mirai, and IoT Reaper. First spotted in 2019, it’s known to exploit weak and default remote access passwords as well as unpatched security vulnerabilities for initial access.

In September 2021, cybersecurity firm Netlab researchers disclosed the arrest of the botnet operators by Chinese authorities.

But the precipitous decline in Mozi activity – from around 13,300 hosts on August 7 to 3,500 on August 10 – is said to be the result of an unknown actor transmitting a command instructing the bots to download and install an update designed to neutralize the malware.

Kill Switch
Shadowserver Foundation

Specifically, the kill switch demonstrated capabilities to terminate the malware’s process, disable system services such as SSHD and Dropbear, and ultimately replace Mozi with itself.

“Despite the drastic reduction in functionality, Mozi bots have maintained persistence, indicating a deliberate and calculated takedown,” security researchers Ivan Bešina, Michal Škuta, and Miloš Čermák said.

A second variant of the control payload came fitted with minor changes, including a feature to ping a remote server, likely for statistical purposes. What’s more, the kill switch exhibits a strong overlap with the botnet’s original source code and is signed with the correct private key,

“There are two potential instigators for this takedown: the original Mozi botnet creator or Chinese law enforcement, perhaps enlisting or forcing the cooperation of the original actor or actors,” Bešina said.

“The sequential targeting of India and then China suggests that the takedown was carried out deliberately, with one country targeted first and the other a week later.”



Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.