Microsoft recently revealed how the Trickbot botnet used compromised MikroTik routers to stealthily communicate with infected PCs.
Trickbot, a piece of malware known for stealing banking credentials and spreading ransomware, once seemed unstoppable. Despite Microsoft’s efforts in 2020 to patch millions of infected PCs and shut down most of its command-and-control (C2) servers — except those dedicated to IoT devices — the malware continued to thrive. . Until it finally died out earlier this year.
Microsoft is today giving more details on how the TrickBot group exploited connected objects, namely compromised MikroTik routers: these had been used since 2018 to communicate stealthily with infected PCs.
Undetectable malware
In 2018, when many hackers were targeting the CVE-2018-14847 security flaw in MikroTik’s RouterOS software, security researchers discovered that Trickbot was using compromised MikroTik routers as C2 infrastructure.
Routers were useful as tools for control servers, as they allowed C2 communication with Trickbot-infected PCs without standard defenses being able to detect it.
Microsoft security researchers now know exactly how devices were used in its infrastructure.
Modus operandi
After taking control of the router through a compromised password, Trickbot used RouterOS’ SSH shell to create a set of commands that RouterOS understood, but which made no sense in normal shells based on Linux. SSH is intended to allow secure network communications over an insecure network. The ultimate goal was to redirect traffic from the compromised router.
This command created a new network rule that redirected traffic from the infected device to a server and the redirected traffic was received on port 449 and redirected to port 80, Microsoft explains.
“The said command is a legitimate Network Address Translation (NAT) command that allows the NAT router to perform IP address rewrite. In this case, it was being used for malicious activity. Trickbot is known to have used ports 443 and 449, and we have been able to verify that some target servers have been identified as TrickBot’s C2 servers in the past,” Microsoft adds.
Breathless Trickbot
“As security solutions for traditional computing devices continue to evolve and improve, attackers will explore other ways to compromise target networks. Attempts to attack routers and other connected objects are nothing new, and if left unmanaged, they can easily be the weakest links in the network. Therefore, organizations should also consider these devices when implementing security policies and best practices,” Microsoft warns. The company has added information on how to tell if your routers have been affected.
Despite Trickbot’s notoriety and longevity, Intel 471 researchers, who took part in the 2020 takedown, claimed last February that the malware was on its last legs. Older developers would have moved on to newer malware like BazarLoader, or joined the Conti ransomware group.
“Intel 471 cannot confirm this, but it is likely that Trickbot operators have phased out the Trickbot malware from their operations in favor of other platforms like Emotet. Trickbot, after all, is relatively old malware that hasn’t been updated significantly. Detection rates are high and network traffic related to bot communication is easily identifiable,” the researchers write.
Source: ZDNet.com