Mozi Botnet
Mozi is a variant of Gafgyt, Mirai and IoT Reaper malware families. The main objective of this botnet is to do DDoS against IoT devices.
Last updated
Was this helpful?
Mozi is a variant of Gafgyt, Mirai and IoT Reaper malware families. The main objective of this botnet is to do DDoS against IoT devices.
Last updated
Was this helpful?
I'll start with the initial information from the sample that i get. The sample is a ELF32 file that is packed with UPX. With the tool hexdump we can see the number magic of a ELF file and the signature of UPX packer.
In the process of unpacking the file i was having a error about file corrupted, someone like the image below. The error it was because the section p_info had a null value.
The next thing that we do is give the value of a section p_filesize because contain the same value. In the first image i highlight the section of p_info, it is a section of 12 bytes. And in the second image i highlight the section of p_filesize, so the the new value of is like the third image how.
With this actions the unpacking was satisfactory. So now with a simply strings we can see part of what Mozi can does. The devices that most attack this botnet are GPON Routers, Realtek, Huawei, DLink and Netgear.
Mozi uses the protocol of remote configuration for Routers [TR-069] and put a password to the connection.
A interesting thing is that Mozi put some iptables rules to prevent someone else attacking the compromised device.
Mozi uses the DHT protocol to build their P2P network and put another iptables rules to routing the traffic.
In the table below i put the IOCs from the sample.
Type
Value
URL
hxxp://222.82.155.100:54591/Mozi.m
md5
9a111588a7db15b796421bd13a949cd4 | Mozi.m packed
md5
93828e909cb0c9b960a5df6fb9ab9706 | Mozi.m unpacked
Hope you enjoy the Analysis and feel free to get in touch with me if you have questions or suggestions.
