Trickbot uses compromised MikroTik routers as C2 communication proxies
MikroTik routers are getting compromised to serve as communication proxies for Trickbot malware, to enable Trickbot-affected devices to communicate with their their C2 server in a way that standard network defense systems won’t detect, Microsoft researchers have found.
MikroTik routers under attack
Trickbot is a modular trojan that’s been around since 2016 and is often used by cybercriminals to deliver ransomware or other malware.
Previous attempts to cripple the Trickbot botnet have been just partly successful, so the botnet lives on. Its controllers are also constantly trying new tricks to allow the malware to persist on infected systems and keep communication with C2 servers uninterrupted.
Their latest trick is to gain control over MikroTik routers – either by trying out default passwords, launching brute-force attacks (with unique passwords that were likely harvested from other MikroTik devices), or exploiting CVE-2018-14847 – and keep it by changing the affected device’s password.
The compromised routers are then used to create a line of communication between the Trickbot-infected device and the Trickbot C2 servers: the routers receive traffic from Trickbot-infected device via port 449, redirect it to port 80, and send it from that port to the command and control server.
Detection and remediation
Having your MikroTik routers compromised just to serve as communication proxies might seem like a much lesser problem than them being hijacked for cryptojacking, for intercepting traffic and serving malicious sites and ads, or to participate in DDoS attacks.
Nevertheless, consumers and organizations should keep in mind that a switch to any of those can be made by attackers at any moment.
To help (tech-savvy) users and organizations discover whether their MicroTik devices have been compromised, Microsoft researchers have released an open-source forensic tool that allows them to search for suspicious properties and weak security points that need to be fixed on the router.
They have also delineated some detection and remediation steps organizations can take to clean-up infected devices and steps they can take to prevent future infections.