Security News > 2022 > March > Trickbot uses compromised MikroTik routers as C2 communication proxies
MikroTik routers are getting compromised to serve as communication proxies for Trickbot malware, to enable Trickbot-affected devices to communicate with their their C2 server in a way that standard network defense systems won't detect, Microsoft researchers have found.
Its controllers are also constantly trying new tricks to allow the malware to persist on infected systems and keep communication with C2 servers uninterrupted.
Their latest trick is to gain control over MikroTik routers - either by trying out default passwords, launching brute-force attacks, or exploiting CVE-2018-14847 - and keep it by changing the affected device's password.
The compromised routers are then used to create a line of communication between the Trickbot-infected device and the Trickbot C2 servers: the routers receive traffic from Trickbot-infected device via port 449, redirect it to port 80, and send it from that port to the command and control server.
Having your MikroTik routers compromised just to serve as communication proxies might seem like a much lesser problem than them being hijacked for cryptojacking, for intercepting traffic and serving malicious sites and ads, or to participate in DDoS attacks.
To help users and organizations discover whether their MicroTik devices have been compromised, Microsoft researchers have released an open-source forensic tool that allows them to search for suspicious properties and weak security points that need to be fixed on the router.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-08-02 | CVE-2018-14847 | Path Traversal vulnerability in Mikrotik Routeros MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. | 6.4 |