Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC) has published a report describing a new tactic involving MikroTik routers used by the Trickbot malware operators to add another persistence layer that helps malicious IP addresses evade detection by security solutions.
“This continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices such as routers, with the malware updating its C2 infrastructure to utilize MikroTik devices and modules. MikroTik routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems,” MSTIC said.
The new tactic involves using compromised IoT devices such as routers from MikroTik to create a line of communication between the TrickBot-affected device and the command and control server.
Threat actors use several methods to gain access to the target routers like using default MikroTik passwords, via brute-force attacks, or by exploiting the CVE-2018-14847 vulnerability on devices with RouterOS versions older than 6.42. This flaw allows attackers to read arbitrary files like user.dat, which contains passwords.
The attackers then issue a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting in order to use it for malicious activity.
“As security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks. Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network. Therefore, organizations should also consider these devices when implementing security policies and best practices,” the researchers said.