Description
Researchers at Microsoft on Wednesday 16th March have reported a new technique being used by the TrickBot malware. This new technique uses compromised Internet of Things (IoT) devices as a channel to initiate communications with the command and control (C2) servers.
Summary
TrickBot adds an additional layer of persistence by employing MikroTik routers as proxy servers for its C2 servers and routing traffic through non-standard ports, allowing malicious IPs to elude detection by regular security systems.
TrickBot, which first appeared in 2016 as a banking trojan, has grown into a sophisticated and persistent threat, thanks to its modular architecture, which allows it to adapt its tactics to suit different networks, environments, and devices, as well as provide access-as-a-service for next-stage payloads like the Conti ransomware.
Even though the botnet has continued to enhance its features to make its assault architecture resilient, evade reverse engineering, and preserve the reliability of its C2 servers, reports of its infrastructure falling offline have surfaced.
The new approach entails using hacked IoT devices, such as MikroTik routers, to establish a communication link between the TrickBot-affected device and the C2 server.
How it works
The technique requires hacking into routers using a mix of methods, such as default passwords, brute-force assaults, or exploiting a now-patched weakness in MikroTik RouterOS (CVE-2018-14847), and then changing the router”s password to keep access.
The attackers then issue a network address translation (NAT) command, which instructs the router to divert traffic between ports 449 and 80, allowing TrickBot-infected hosts to interact with the C2 server.
Remediation
Microsoft has released a forensics tool named “routeros-scanner” that network admins can use to scan MikroTik devices for signs that it was compromised by TrickBot.
The script will scan MikroTik devices for the following information:
Get the version of the device and map it to CVEs
Check for scheduled tasks
Look for traffic redirection rules
Look for DNS cache poisoning
Look for default ports change
Look for non-default users
Look for suspicious files
Look for proxy, socks, and FW rules
It is recommended to follow these steps on MikroTik devices to secure them further:
Change the default password to a strong one
Block port 8291 from external access
Change SSH port to something other than the default (22)
Make sure routers are up to date with the latest firmware and patches
Use a secure virtual private network (VPN) service for remote access and restrict remote access to the router
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: MikroTik Routers Abused by TrickBot Malware.pdf
References
Toulas, Bill. 17th March 2022). Microsoft creates tool to scan MikroTik routers for TrickBot infections. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-scan-mikrotik-routers-for-trickbot-infections/
Lakshmanan, Ravie. (17th March 2022). TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control. Retrieved from The Hacker news: https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html