Microsoft’s Defender for Internet of Things Research Team and Microsoft’s Threat Intelligence Centre have collaborated to create an open source forensic solution for popular Mikrotik routers that have been compromised to function as proxy servers for the Trickbot malware gang.
The researchers discovered that attackers with several means to access Mikrotik routers were able to reroute traffic to and from Trickbot command and control servers by using instructions particular to the Latvian vendor’s RouterOS operating system (preceded by the “/” character). Administrators can get device version identifiers and link them to Common Vulnerabilities and Exposures (CVEs) indexes using Microsoft’s routeros-scanner tool.
Microsoft’s Defender for Internet of Things Research Team and Microsoft’s Threat Intelligence Centre have teamed up to produce an open source forensic solution for popular Mikrotik routers that have been hacked to serve as proxy servers for the Trickbot malware gang.
The researchers determined that by exploiting instructions specific to the Latvian vendor’s RouterOS operating system (preceded by the “/” character), attackers with a variety of ways to access Mikrotik routers were able to divert traffic to and from Trickbot command and control servers.
Using Microsoft’s routeros-scanner tool, administrators can obtain device version identifiers and link them to Common Vulnerabilities and Exposures (CVEs) indexes. A search of the Shodan.io scanning site for Mikrotik routers connected to the internet revealed slightly over 77,000 units in Australia and New Zealand, with more than 3.3 million worldwide.
Trickbot, which is based on the previous Dyre malware, is one of the world’s most hazardous botnets and is frequently used to transmit ransomware payloads. Microsoft security professionals worked with law enforcement agencies throughout the world to shut down Trickbot’s infrastructure, resulting in the arrest and extradition of some of the malware’s creators to the United States to face charges.
