To increase chances of survival the malware prevents remote access by blocking the following TCP ports: 'By infecting routers, they can perform man-in-the-middle (MITM) attacks-via HTTP hijacking and DNS spoofing-to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities,' Microsoft said. It does so by using clever persistence techniques that are specifically adapted to each gateway’s particular architecture. According to the researchers, the botnet now targets network gateways manufactured by Netgear, Huawei, and ZTE using infected devices as initial access point to corporate networks. The Mozi botnet has been around for a while now, and it continues to evolve.
Microsoft researchers have published a blog post, detailing new capabilities of the Mozi IoT botnet, which recruits IoT devices to conduct distributed denial-of-service (DDoS) attacks, data exfiltration, and command or payload execution.
