[German]The Trickbot gang infects IoT devices and MikroTik routers with malware to make them part of a botnet. The infected routers can then communicate with the Trickbot Gang's C&C servers and spread further malware or be misused for attacks. Microsoft has now released details on how Trickbot infections work, while also providing a free Python tool for detecting MikroTik Trickbot infections.
Trickbot is the name of a malware as well as the cybercrime group behind it. Originally, it was a Trojan for Microsoft Windows that was supposed to capture banking data and other credentials. In the meantime, those behind it have expanded its capabilities and created a complete modular malware ecosystem that runs on various operating systems. Meanwhile, Trickbot also infects routers from MikroTik to abuse them as proxies for communication with C&C servers.
Trickbot insides and an infection scanner
A German blog reader pointed me to this article with some information about Trickbot. But also from Microsoft there is some recent information about Trickbot infections of MicroTik routers. I came across the issue via the following tweet, which is covered in the blog post Uncovering Uncovering Trickbot's use of IoT devices in command-and-control infrastructure.
Microsoft writes that those behind it have extended Trickbot's capabilities so that the malware can extend to Internet of Things (IoT) devices such as routers. MikroTik devices in particular are targeted, as their routers are widely used in various industries around the world. By using MikroTik routers as proxy servers to communicate with its C2 servers and redirecting traffic through non-standard ports, the botnet has another persistence layer to obfuscate communication with malicious IPs and thus evade detection by standaMicrosoft releases scan tool for MikroTic Trickbot infectionsrd security systems.
The Microsoft Defender for IoT research team recently succeeded in uncovering the exact method by which MikroTik devices are used to communicate in Trickbot's C2 infrastructure. In this blog post, security researchers share their analysis of this method and provide insights into how attackers gain access to MikroTik devices and use compromised IoT devices to launch Trickbot attacks.
The attacks on MikroTik routers to infect the devices use fairly simple methods. Default MikroTik passwords are used or brute force attacks are used to access the routers' management interface. Some unique passwords are used, which were probably tapped from other MikroTik devices. And vulnerability CVE-2018-14847 is exploited on devices with RouterOS versions older than 6.42. This vulnerability gives the attacker the ability to read arbitrary files such as user.dat that contain passwords.
Once the malware gains access to the router, it changes the user access password. Then, the malware uses specific SSH shell commands to redirect traffic from the device to a server via a new rule. This is received from port 449 and redirected to port 80. The legitimate Network Address Translation (NAT) command allows the NAT router to rewrite IP addresses. In this case, the command is used for malicious activities. Trickbot is known to use ports 443 and 449, and Microsoft has found that some target servers have been identified as TrickBot C2 servers in the past.
OpenSource tool for MikroTik scans
Microsoft has released an open source tool in Python to scan MikroTik routers for infections. This tool provides the following functions, among others:
- Retrieving device version and mapping to CVEs
- Check for scheduled tasks
- Search for traffic redirection rules (NAT and other rules)
- Search for DNS cache poisoning
- Search for changes in default ports
- Search for non-default users
Cookies helps to fund this blog: Cookie settings