Security News > 2022 > March > Has Trickbot gang hijacked your router? This scanner may have an answer
Microsoft has published a tool that scans for and detects MikroTik-powered Internet-of-Things devices that have been hijacked by the Trickbot gang.
The open-source scanner comes after an investigation by Redmond's Defender for IoT research team into how the nefarious malware crew takes over MikroTik routers and sets them up to funnel communications to and from Trickbot-infected computers on the network and the criminals' backend servers.
Microsoft spotted the Trickbot gang sending MikroTik-specific RouterOS commands to infected devices to set up C2 traffic redirection, and then tracked those commands back to their source.
As the threat researchers explained: "MikroTik devices have a unique Linux-based OS called RouterOS with a unique SSH shell that can be accessed through SSH protocol using a restricted set of commands," with the prefix /. Microsoft noted that redirected C2 traffic is received from port 449 - a known Trickbot port - and redirected out through port 80.
The scanner connects into MikroTik devices and looks for traffic redirection configuration rules and port changes, among other Trickbot indicators.
Unsurprisingly, the number-one tip to protect against future Trickbot infestations: stay patched, and use a strong password - not the MikroTik default one.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/03/17/microsoft_trickbot_scanner/