{
	"id": "d65baed2-f620-437d-9b6f-cfd5fd360b43",
	"created_at": "2026-04-06T00:11:52.384424Z",
	"updated_at": "2026-04-10T03:19:55.148138Z",
	"deleted_at": null,
	"sha1_hash": "a7b35f5c0e6052503b4a288287dcb3ae56a8fbb6",
	"title": "How to proactively defend against Mozi IoT botnet | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 342301,
	"plain_text": "How to proactively defend against Mozi IoT botnet | Microsoft\r\nSecurity Blog\r\nBy David Atch, Gil Regev, Ross Bevington\r\nPublished: 2021-08-19 · Archived: 2026-04-02 11:55:31 UTC\r\nMozi is a peer-to-peer (P2P) botnet that uses a BitTorrent-like network to infect IoT devices such as network\r\ngateways and digital video records (DVRs). It works by exploiting weak telnet passwords1 and nearly a dozen\r\nunpatched IoT vulnerabilities2 and it’s been used to conduct distributed denial-of-service (DDoS) attacks, data\r\nexfiltration, and command or payload execution3.\r\nWhile the botnet itself is not new, Microsoft’s IoT security researchers recently discovered that Mozi has evolved\r\nto achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE. It does this using clever\r\npersistence techniques that are specifically adapted to each gateway’s particular architecture.\r\nNetwork gateways are a particularly juicy target for adversaries because they are ideal as initial access points to\r\ncorporate networks. Adversaries can search the internet for vulnerable devices via scanning tools like Shodan,\r\ninfect them, perform reconnaissance, and then move laterally to compromise higher value targets—including\r\ninformation systems and critical industrial control system (ICS) devices in the operational technology (OT)\r\nnetworks.\r\nBy infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS\r\nspoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities. In the\r\ndiagram below we show just one example of how the vulnerabilities and newly discovered persistence techniques\r\ncould be used together. Of course, there are many more possibilities.\r\nhttps://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nPage 1 of 7\n\nFigure 1: Attack flow for Mozi botnet.\r\nGuidance: Proactive defense\r\nBusinesses and individuals that are using impacted network gateways (Netgear, Huawei, and ZTE) should take the\r\nfollowing steps immediately to ensure they are resistant to the attacks described in this blog:\r\n1. Ensure all passwords used on the device are created using strong password best practices.\r\n2. Ensure devices are patched and up-to-date.\r\nDoing so will reduce the attack surfaces leveraged by the botnet and prevent attackers from getting into a position\r\nwhere they can use the newly discovered persistence and other exploit techniques described in more detail below.\r\nThe intelligence of our security cloud and all of our Microsoft Defender products, including Microsoft\r\n365 Defender (XDR), Azure Sentinel (cloud-native SIEM/SOAR), as well as Azure Defender for IoT also provide\r\nprotection from this malware and are continuously updated with the latest threat intelligence as the threat\r\nlandscape continues to evolve. The recent acquisition of ReFirm Labs will further enhance Azure Defender for\r\nIoT’s ability to protect customers with its upcoming deep firmware scanning, analysis capabilities which will be\r\nintegrated with Device Update for Azure IoT Hub’s patching capabilities.\r\nTechnical description of new persistence capabilities\r\nApart from its known extensive P2P and DDoS abilities, we have recently observed several new and unique\r\ncapabilities of the Mozi botnet.\r\nTargeting Netgear, Huawei, and ZTE gateways, the malware now takes specific actions to increase its chances of\r\nsurvival upon reboot or any other attempt by other malware or responders to interfere with its operation. Here are\r\nsome examples:\r\nAchieving privileged persistence\r\nA specific check is conducted for the existence of the /overlay folder, and whether the malware does not have\r\nwrite permissions to the folder /etc. In this case, it will try to exploit CVE-2015-1328.\r\nSuccessful exploitation of the vulnerability will grant the malware access to the following folders:\r\n/etc/rc.d\r\n/etc/init.d\r\nThen the following actions are taken:\r\nIt places the script file named S95Baby.sh in these folders.\r\nThe script runs the files /usr/networks or /user/networktmp. These are copies of the executable.\r\nIt adds the script to /etc/rcS.d and /etc/rc.local in case it lacks privileges.\r\nZTE devices\r\nhttps://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nPage 2 of 7\n\nA specific check is conducted for the existence of the /usr/local/ct folder; this serves as an indicator of the device\r\nbeing a ZTE modem/router device.\r\nThe following actions are taken:\r\nIt copies its other instance (/usr/networks) to /usr/local/ct/ctadmin0; this provides persistency for the malware.\r\nIt deletes the file /home/httpd/web_shell_cmd.gch. This file can be used to gain access through exploitation of\r\nthe vulnerability CVE-2014-2321; deleting it prevents future attacks.\r\nIt executes the following commands. These disable Tr-069 and its ability to connect to auto-configuration server\r\n(ACS). Tr-069 is a protocol for remote configuration of network devices; it’s usually utilized by service providers\r\nto configure customers’ equipment.\r\nsendcmd 1 DB set MgtServer 0 Tr069Enable 1 sendcmd 1 DB set PdtMiddleWare 0 Tr069Enable 0 sendcmd 1\r\nDB set MgtServer 0 URL http://127.0.0.1 sendcmd 1 DB set MgtServer 0 UserName notitms sendcmd 1 DB set\r\nMgtServer 0 ConnectionRequestUsername notitms sendcmd 1 DB set MgtServer 0 PeriodicInformEnable 0\r\nsendcmd 1 DB save\r\nHuawei devices\r\nExecution of the following commands changes the password and disables the management server for Huawei\r\nmodem/router devices. It also prevents others from gaining access to the device through the management server.\r\ncfgtool set /mnt/jffs2/hw_ctree.xml\r\ncfgtool set /mnt/jffs2/hw_ctree.xml\r\nInternetGatewayDevice.ManagementServer ConnectionRequestPassword acsMozi\r\nTo provide an additional level of persistence it also creates the following files if needed and appends an instruction\r\nto run its copy from /usr/networks.\r\n/mnt/jffs2/Equip.sh /mnt/jffs2/wifi.sh /mnt/jffs2/WifiPerformance.sh\r\n/mnt/jffs2/Equip.sh\r\n/mnt/jffs2/wifi.sh\r\n/mnt/jffs2/WifiPerformance.sh\r\nPreventing remote access\r\nThe malware blocks the following TCP ports:\r\n23—Telnet\r\n2323—Telnet alternate port\r\n7547—Tr-069 port\r\n35000—Tr-069 port on Netgear devices\r\n50023—Management port on Huawei devices\r\n58000—Unknown usage\r\nhttps://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nPage 3 of 7\n\nThese ports are used to gain remote access to the device. Shutting them increases the malware’s chances of\r\nsurvival.\r\nScript infector\r\nIt scans for .sh files in the filesystem, excluding the following paths:\r\n/tmp /dev /var /lib /haha /proc /sys\r\nIt also appends a line to each file. The line instructs the script to run a copy of the malware from /usr/networks.\r\nThis increases its chances of survival on various devices.\r\nTraffic injection and DNS spoofing capabilities\r\nThe malware receives commands from its distributed hash table (DHT) network. The latter is a P2P protocol for\r\ndecentralized communications. The commands are received and stored in a file, of which parts are encrypted. This\r\nmodule works only on devices capable of IPv4 forwarding. It checks whether /proc/sys/net/ipv4/ip_forward is\r\nset to 1; such positive validation is characteristic of routers and gateways. This module works on ports UDP 53\r\n(DNS) and TCP 80 (HTTP)\r\nConfiguration commands\r\nApart from the previously documented commands in Table 1—for more information, read A New Botnet Attack\r\nJust Mozied Into Town—we also discovered these commands:\r\n[hi] – Presence of the command indicates it needs to use the MiTM module.\r\n[set] – Contains encrypted portion which describes how to use the MiTM module.\r\nCommand Description\r\n[ss] Bot role\r\n[ssx] enable/disable tag [ss]\r\n[cpu]\r\nCPU architecture\r\n[cpux]\r\nenable/disable tag [cpu]\r\n[nd] new DHT node\r\n[hp] DHT node hash prefix\r\n[atk]\r\nDDoS attack type\r\n[ver] Value in V section in DHT protocol\r\n[sv] Update config\r\nhttps://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nPage 4 of 7\n\n[ud] Update bot\r\n[dr]\r\nDownload and execute payload from the specified URL\r\n[rn] Execute specified command\r\n[dip] ip:port to download Mozi bot\r\n[idp] report bot\r\n[count] URL that used to report bot\r\nTable 1. Previously documented Mozi commands.\r\nDNS spoofing\r\nMozi receives a very simple list of DNS names which are then spoofed. Its structure is as follows:\r\n\u003cDNS to spoof\u003e:\u003cIP to spoof\u003e\r\nEach DNS request is answered with the spoofed IP. This is an efficient technique to redirect traffic to the attackers’\r\ninfrastructure.\r\nHTTP session hijacking\r\nThis part of the MITM functionality is responsible for hijacking HTTP sessions. Not every HTTP request is\r\nprocessed. There are several conditions for it to be qualified for hijacking, most of which are meant to restrict the\r\nmodule’s “level of noise” to lower the chances of it being discovered by network defenders.\r\nThe following are some of the rules:\r\nIt works only for HTTP GET requests. This means forms and more complex requests are ignored.\r\nA random number in the configuration states how many queries it would inject. This shows the attackers\r\nunderstand the importance of hiding this functionality. In other words, they are lowering its footprint in\r\norder to avoid alerting the user of the hijacking.\r\nSome domains are ignored, most likely to avoid interference with the normal operation of certain types of\r\nequipment or to avoid detection by various security countermeasures.\r\nIt only spoofs external traffic; HTTP requests inside the LAN are ignored.\r\nA test is conducted to validate that the URL doesn’t contain the string “veri=20190909”—this is done to\r\nprevent injecting the already-injected pages.\r\nIt returns a random HTTP response derived from a predefined list of responses. It has nine different types\r\nof hijacking; the specific type of hijacking and its parameters are derived from the configuration file.\r\nBelow are a few examples of these hijacking techniques.\r\nSome of the spoofing occurs via redirection using the HTTP Location header, as seen below.\r\nhttps://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nPage 5 of 7\n\nExample 1: Spoofing via redirection using the HTTP Location header. This should automatically redirect without\r\nany user interaction.\r\nExample 2: A hijacking method that only injects JavaScript; it is designed for ajax calls that evaluate the\r\nresponse, so this hijack method will inject a new script into the page.\r\nProtecting from Mozi Malware\r\nIt is important to note that Microsoft Security solutions have already been updated to protect, detect, and respond\r\nto Mozi and its enhanced capabilities.\r\nCustomers can use the network device discovery capabilities found in Microsoft Defender for Endpoint to\r\ndiscover impacted internet gateways on their IT networks and run vulnerability assessments. Additionally, the\r\nagentless network-layer capabilities of Azure Defender for IoT can be used to perform continuous asset discovery,\r\nvulnerability management, and threat detection for IoT and OT devices on their OT networks. This solution can be\r\nrapidly deployed (typically less than one day per site), and it is available for both on-premises and cloud-connected environments.\r\nDefender for IoT is also tightly integrated with Azure Sentinel, which provides a bird’s eye view across your\r\nentire enterprise—leveraging AI and automated playbooks to detect and respond to multi-stage attacks that often\r\nhttps://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nPage 6 of 7\n\ncross IT and OT boundaries.\r\nIn addition to detecting targeted attacks and living-off-the-land (LOTL) tactics via IoT/OT-aware behavioral\r\nanalytics, Defender for IoT incorporates threat information derived from trillions of signals analyzed daily by\r\nMicrosoft’s global team of security experts using AI and machine learning. This helps ensure our customers are\r\ncontinuously protected against both new and existing threats.\r\nWhile we offer many solutions, it remains critical that each of the recommendations in the “Guidance: Proactive\r\ndefense” section above be implemented on the impacted internet gateways to prevent them from becoming a\r\nvector of attack.\r\nTo learn more about how our integrated SIEM/XDR solutions, combined with Azure Defender for IoT, can help\r\nsecure your organization, please refer to the following resources:\r\nAzure Defender for IoT\r\nOverview of Azure Defender for IoT\r\nAzure Sentinel\r\nOverview of Azure Sentinel\r\nMicrosoft 365 Defender\r\nOverview of Microsoft 365 Defender\r\nDevice discovery overview for Microsoft Defender for Endpoint and Microsoft 365 Defender\r\nTo learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with\r\nour expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on\r\ncybersecurity.\r\n1Mozi, Another Botnet Using DHT, Alex Turing, Hui Wang, NetLab 360, 23 December 2019.\r\n2Mozi IoT Botnet, CERT-In, Ministry of Electronics and Information Technology Government of India, 12\r\nNovember 2020.\r\n3New Mozi Malware Family Quietly Amasses IoT Bots, Black Lotus Labs, Lumen, 13 April 2020.\r\nSource: https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nhttps://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/"
	],
	"report_names": [
		"how-to-proactively-defend-against-mozi-iot-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775791195,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7b35f5c0e6052503b4a288287dcb3ae56a8fbb6.pdf",
		"text": "https://archive.orkl.eu/a7b35f5c0e6052503b4a288287dcb3ae56a8fbb6.txt",
		"img": "https://archive.orkl.eu/a7b35f5c0e6052503b4a288287dcb3ae56a8fbb6.jpg"
	}
}