For several years, Mozi was among the most active botnets on the cyberthreat scene, exploiting flaws in hundreds of thousands of Internet of Things (IoT) devices every year. In a report last year, IBM’s X-Force unit said it saw a 3,000% jumped in Mozi activity between 2019 and 2020, and a year later Mozi accounted for 74% of the total volume of IoT malware.

The operators targeted networking and IoT devices, video recorders, and other connected systems and the malware could achieve persistence in compromised networks, enabling them to move laterally through networks and run attacks like ransomware and man-in-the-middle.

Despite the reported arrest of the Mozi botnet authors in the summer of 2021 that led to an overall drop in IoT attacks in the fourth quarter that year, the notorious malware continued to churn ahead, infecting more connected devices.

Until August, that is. According to researchers with cybersecurity firm ESET, Mozi activity in India “experienced a sudden and anticipated nosedive” on August 8. On August 16, same happened in China.

“This mysterious disappearance stripped Mozi bots of most of their functionality,” ESET researchers Ivan Bešina, Michal Škuta, and Miloš Čermák wrote in a report this week, adding that activity relating to the botnet dropped globally as well.

Who Flipped the Switch?

A month later, the researchers discovered the cause of the sharp decline in activity: a kill switch deliberately deployed within the botnet. The question then becomes, who was behind the kill switch? It’s one that ESET is still trying to answer.

Right now, the two suspects are the botnet creators themselves or Chinese law enforcement officials who forced the cooperation of the creators.

“The demise of one of the most prolific IoT botnets is a fascinating case of cyberforensics, providing us with intriguing technical information on how such botnets in the wild are created, operated, and dismantled,” Bešina, Škuta, and Čermák wrote. “We are continuing to investigate this case and will publish a detailed analysis in the coming months.”

A Busy Botnet

Mozi was first detected in 2019 by Netlab, the security arm of giant Chinese tech provider Qihoo 360. The peer-to-peer (P2P) botnet included source code from other botnet families, including Gafgyt, Mirai, and IoT Reaper, and could launch distributed denial-of-service (DDoS), data exfiltration, and payload execution.

It was known to target such IoT devices as network gateways and DVRs that had weak or default telnet passwords or were unpatched. The malware would infect one device and then spread to other systems.

In August 2021, Microsoft reported that Mozi had added further capabilities, including achieving persistence on network gateways from several networking vendors, using techniques that were adapted to each device’s particular architecture. Soon after that report, Mozi’s authors were arrested by Chinese authorities.

Despite the arrests, Netlab researchers wrote they expected the malware to infect other systems, adding that “Mozi uses a P2P network structure, and one of the ‘advantages’ of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading.”

Shut Down, But Persistent

That it did, until two months ago. The kill switch was distributed to the Mozi bots via eight control payloads sent to each of them, with each instructing the bot to download and install an update of itself over HTTP.

The kill switch included several actions, including killing the parent process – the original Mozi malware – disabling system services like SSHD and DropBear, disabling access to various ports, and replacing the original Mozi file with itself.

However, while much of the botnets’ functionality was shut down, they have maintained persistence in the devices, “indicating a deliberate and calculated takedown,” the researchers wrote.

“We identified two versions of the control payload, with the latest one functioning as an envelope containing the first one with minor modifications, such as adding a function to ping a remote server, probably meant for statistical purposes,” they wrote. “Our analysis of the kill switch shows a strong connection between the botnet’s original source code and recently used binaries, and also the use of the correct private keys to sign the control payload.”

That led them to believe that it was either the malware creators or Chinese law enforcement forcing cooperation from them. The sequential targeting of the bots in India and then China indicates the shutdown was done deliberately.