The Mozi botnet, notorious for targeting IoT devices, first emerged in 2019 and rapidly gained attention for its unique peer-to-peer (P2P) architecture and significant ability to exploit misconfigured IoT devices like routers and network cameras. Built from portions of Mirai and Gafgyt code, Mozi infects vulnerable devices across a wide range of geographic regions by leveraging weak credentials and exploiting open ports. This botnet’s success led to millions of infected devices, mostly in Asia and Europe, until 2021, when Chinese law enforcement intervened and temporarily curtailed its operations.

• Peer-to-Peer Architecture: Mozi uses a P2P network, making it more resilient to takedowns and harder to track than traditional botnets.
• IoT-Focused Targeting: Its primary targets are IoT devices such as Netgear and D-Link routers, which are often under-secured and widely accessible.
• Credential Stuffing and Exploitation: Mozi spreads by brute-forcing weak credentials and exploiting vulnerabilities on open ports of IoT devices.
• Law Enforcement Intervention: Chinese authorities arrested Mozi's creators, releasing an update in 2023 that halted Mozi’s connections, yet remnants of Mozi remain and are repurposed by other botnets like Androxgh0st.
• Integration with New Botnets: Mozi’s capabilities have been incorporated by newer botnets, expanding its influence beyond the original P2P network and widening its reach through integration with other malware like Androxgh0st.

Analysis

Mozi’s P2P structure and focus on IoT vulnerabilities marked a shift in botnet architecture, providing a model for resilient botnet design. Traditional botnets often rely on centralised control, making them vulnerable to takedown efforts; however, Mozi’s decentralised approach allows it to persist and regenerate despite attempts to dismantle it. Mozi’s use of brute-force credential stuffing is particularly effective on IoT devices, where security is typically lax. The botnet's impact, reaching a vast network of under-secured devices across Asia and Europe, demonstrates the importance of improving IoT security standards globally. Although halted temporarily by law enforcement, Mozi's structure remains influential, with fragments repurposed by other botnets, indicating that while one operation might be neutralised, its components can still persist and be weaponized by new threats.

Technical Key Points

• P2P Network Architecture: Uses peer-to-peer communication, enhancing resilience and operational persistence.
• Targeted IoT Devices: Primary targets include Netgear, D-Link routers, and various IoT network devices that typically lack strong security controls.
• Brute-force Credential Stuffing: Spreads by brute-forcing login credentials and exploiting open ports, allowing it to infiltrate a vast network of IoT devices.
• Law Enforcement Action: In 2021, the creators were arrested, and a 2023 update effectively killed the botnet’s ability to connect externally.
• Legacy and Integration with Other Botnets: Although shut down, Mozi's capabilities are integrated into newer botnets, such as Androxgh0st, which continue to use its IoT-focused payloads and spreading mechanisms.

Conclusion

Mozi's design and operations signify a pivotal development in botnet architecture, showcasing the potential of decentralised, IoT-specific attacks. Even though Mozi’s original operations were disrupted, its modular code and effective P2P model have been adopted and integrated by other threat actors. This emphasises the critical need for IoT security enhancements, including stronger authentication measures and proactive vulnerability management. As IoT devices become more ubiquitous, improving their defences will be vital to reducing the impact of botnets like Mozi and its successors.

Source and further reading.

Fkie, F. (n.d.). Mozi (Malware Family). https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi

Mozi | INCIBE | INCIBE. (n.d.). https://www.incibe.es/servicio-antibotnet/info/Mozi