The Mozi botnet’s unanticipated August 2023 decline in malicious activity was caused by a kill switch that was given to the bots.
“First, the drop manifested in India on August 8,” SSET said = in a study that was released this past week. “On August 16, one week later, the same incident occurred in China. The majority of the Mozi bots’ functionality was removed by the enigmatic control payload, also known as the kill switch, but they continued to persist.” An Internet of Things (IoT) botnet called Mozi emerged from the source code of a number of well-known malware families, including IoT Reaper, Gafgyt, and Mirai. It was first discovered in 2019 and is known to gain initial access by taking advantage of unpatched security flaws and weak or default remote access passwords.
In September 2021, researchers from cybersecurity firm Netlab disclosed the arrest of the botnet operators by Chinese authorities.
But the precipitous decline Mozi activity is reported to have decreased from roughly 13,300 hosts on August 7 to 3,500 hosts on August 10. This is attributed to an unidentified actor sending out a command telling the bots to download and install an update intended to neutralize the malware.
In particular, the kill switch showed that it could stop the malware’s execution, turn off system services like Dropbear and SSHD, and finally replace Mozi with itself.
Security researchers Ivan Bešina, Michal Škuta, and Miloš Čermák stated that “Mozi bots have maintained persistence, indicating a deliberate and calculated takedown” despite the drastic reduction in functionality.
Furthermore, the kill switch is signed using the same private key that was previously used by the original Mozi operators and shows a significant amount of overlap with the botnet’s original source code.
“There could be two potential instigators for this takedown: the original Mozi botnet creator or Chinese security forces, perhaps enlisting or forcing the cooperation of the original actor or actors,” Bešina said.
“The sequential attacking of India and then China suggests that the takedown was carried out consciously, with one country targeted first and the other a week later.”
If You Want To Join A Course http://www.crptus.in