Mozi Botnet

Mozi is a newly observed worm and botnet believed to based on a version of the BASHLITE malware.

Threat ID:: CC-3326
Category:
Threat Severity:: Low
Threat Vector:
Published:: 2 January 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Mozi is a newly observed worm and botnet believed to based on a version of the BASHLITE malware.

Affected platforms

The following platforms are known to be affected:

IoT Devices

Threat details

As with most BASHLITE variants, Mozi propagates via Hajime botnet to connect to it's peer-to-peer network. At the time of publication, it is unclear what Mozi's botnet is used for, although it is likely it will be offered for use in distributed denial-of-service attacks.

For further information:

Remediation steps

Type	Step
	To avoid devices becoming part of an Internet-of-Things (IoT) botnet, organisations should: Review the network security of IoT devices on the estate. Change any IoT device default usernames and passwords. Additionally, to prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To avoid devices becoming part of an Internet-of-Things (IoT) botnet, organisations should:

Review the network security of IoT devices on the estate.
Change any IoT device default usernames and passwords.

Additionally, to prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Indicators of compromise

Main indicators

MD5 File Hashes

849b165f28ae8b1cebe0c7430f44aff3
eda730498b3d0a97066807a2d98909f3

CVE Vulnerabilities

CVE-2014-8361

CVE-2017-17215

CVE-2018-10561

CVE-2018-10562

Last edited: 10 January 2022 4:26 pm