Microsoft warns, change the default passwords to a strong one on your router.

That’s because they’ve discovered how the Trickbot trojan botnet has been using compromised MikroTik routers for secretive talks with infected PCs.

Once seemingly unstoppable, Trickbot was well known for stealing banking credentials and delivering ransomware. And in 2020 Microsoft led an effort to patch millions of infected PCs but it continued to thrive. Microsoft also took down most of its command and control (C2) servers, apart from its Internet of Things (IoT) C2 devices. Finally, earlier this year it was shut down.

Most importantly, Microsoft found out that the TrickBot gang’s IoT C2 devices, since 2018 compromised MikroTik routers and were communicating with these infected PCs.

In other words, when many hackers were targeting CVE-2018-14847 in MikroTik’s RouterOS software back in 2018, security researchers found Trickbot was using compromised MikroTik routers for C2 infrastructure. 

The Trickbot infected PC could communicate with the router since the router is a useful C2 tool.  But the communication was in such a way that standard defences couldn’t pick it up. Meanwhile, the security researchers at Microsoft have now cleared up exactly how the devices were being used in its infrastructure.  

Firstly, through a compromised password, hackers were able to gain control of the router.

Secondly, Trickbot used RouterOS’s SSH shell to create a set of commands that RouterOS understands but which don’t make sense on normal Linux-based shells.

Keeping in mind SSH is intended to enable secure network communications over an unsecured network.

So, the hacker’s primary goal was to redirect the compromised router’s traffic.

In other words, a new rule was created from the command and traffic was redirected to from the infected PC to the server explains Microsoft. And then they go on to say, that the redirected traffic was received from port 449 and redirected to port 80.

Microsoft adds, that “the said command is a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting”. But in this scenario, they use it for malicious activity. Microsoft continues to say that “we were able to verify that some target servers were identified as TrickBot C2 servers in the past. Trickbot is known for using 443 and 449 ports.

Therefore, as security solutions continue to improve for the standard devices, attacker will no doubt look at other ways to infiltrate networks. That is to say, that using routers and other IoT devices is not a new way to make an attempted attack. Since they are unmanaged, they can be the place of vulnerability in the network.

So, when considering their security policies and best practices organisations need to include these unmanaged routers and other IoT devices. It has included details of how to find out if your routers have been affected Microsoft said.

Researchers at Intel 471 said that in February this year Trickbot malware was on its last legs. These researchers were involved in the 2020 takedown of Trickbot, challenging their notoriety and durability. However Trickbot developers have now moved on to new malware like BazarLoader and the Conti ransomware gang.

Meanwhile, even though researchers at Intel 471 cannot fully verify, it’s likely that developers of Trickbot have phased it out preferring other platforms like Emotet. And since Trickbot is an old type of malware it makes sense. Secondly, network traffic from bot communication is easily recognized and detection rates are high, its researchers wrote.

In short make sure you have a strong password for your router. Don’t just go with the default one.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?