Has Trickbot gang hijacked your router? This scanner may have an answer

Thanks... Micro... soft... OK, there, we said it

Microsoft has published a tool that scans for and detects MikroTik-powered Internet-of-Things devices that have been hijacked by the Trickbot gang.

The open-source scanner comes after an investigation by Redmond's Defender for IoT research team into how the nefarious malware crew takes over MikroTik routers and sets them up to funnel communications to and from Trickbot-infected computers on the network and the criminals' backend servers.

In a release note this week, Microsoft's security team outlined how miscreants compromise the MikroTik devices to strengthen Trickbot's C2 communications. The gang first must acquire credentials for the gateways, and according to Microsoft it does this through a variety of methods including using default MikroTik passwords and launching brute force attacks.

Or they can exploit CVE-2018-14847 on devices running RouterOS versions older than 6.42. This allows an attacker to read arbitrary files such as user.dat, which contains passwords, Microsoft explained.

The criminals then change the router password to maintain access, and then use the compromised device to send commands to Trickbot-poisoned systems on the network to have them run ransomware, mine coins, steal or delete data, and so on.

Microsoft spotted the Trickbot gang sending MikroTik-specific RouterOS commands to infected devices to set up C2 traffic redirection, and then tracked those commands back to their source. As the threat researchers explained: "MikroTik devices have a unique Linux-based OS called RouterOS with a unique SSH shell that can be accessed through SSH protocol using a restricted set of commands," with the prefix /. 

Microsoft noted that redirected C2 traffic is received from port 449 — a known Trickbot port —  and redirected out through port 80.

The scanner connects into MikroTik devices and looks for traffic redirection configuration rules and port changes, among other Trickbot indicators. If you want to look for yourself, without using Microsoft's code, or need advice on what to do if you think your router has been compromised, Redmond offers this:

Run the following command [on the router] to detect if the NAT rule was applied to the device (completed by the tool as well):

/ip firewall nat print

If the following data exists, it might indicate infection:

chain=dstnat action=dst-nat to-addresses=

to-ports=80 protocol=tcp dst-address=

chain=srcnat action=masquerade src-address=

Run the following command to remove the potentially malicious NAT rule:

/ip firewall nat remove numbers=

And, unsurprisingly, the number-one tip to protect against future Trickbot infestations: stay patched, and use a strong password – not the MikroTik default one. ®

Broader topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022