Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Microsoft creates tool to scan MikroTik routers for TrickBot infections
#1
[Image: BKQUCvk.jpg]

Quote:Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers.

TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.


For years, TrickBot has used IoT devices, such as routers, to act as a proxy between an infected device and command and control servers (C2). These proxies are used to prevent researchers and law enforcement from finding and disrupting their command and control infrastructure.

In a new report by Microsoft, researchers explain how the TrickBot gang targeted vulnerable MikroTik routers using various methods to incorporate them as proxies for C2 communications.

Routing malicious traffic

The TrickBot operations utilized various methods when hacking into MikroTik routers, starting with using default credentials and then performing brute force attacks to guess the password.

If these initial methods did not provide access to the router, the threat actors would attempt to exploit CVE-2018-14847, a critical directory traversal vulnerability that allows unauthenticated, remote attackers to read arbitrary files. Using this vulnerability, the threat actors would steal the 'user.dat' file, which contains the user credentials for the router.

Once they gained access to the device, the threat actors used built-in '/ip', '/system', or '/tool' commands to create a network address translation (NAT) rule that rerouted traffic sent to port 449 on the router to port 80 on a remote command and control server.

Continue reading HERE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  ASUS warns of Cyclops Blink malware attacks targeting routers tarekma7 0 1,886 03-19-2022 , 02:40 PM
Last Post: tarekma7
  TrickBot now crashes researchers' browsers to block malware analysis mrtrout 0 758 01-26-2022 , 11:54 PM
Last Post: mrtrout
  Ransomware Attack Creates Cheese Shortages in Netherlands Mohammad.Poorya 0 967 04-15-2021 , 07:39 PM
Last Post: Mohammad.Poorya
  February 2021’s Most Wanted Malware: Trickbot Takes Over Following Emotet Shutdown Bjyda 0 1,028 03-13-2021 , 09:49 PM
Last Post: Bjyda
  Multiple security flaws let hackers infiltrate D-Link routers Bjyda 0 1,047 12-17-2020 , 10:18 PM
Last Post: Bjyda

Forum Jump:


Users browsing this thread: 1 Guest(s)