Microsoft releases open-source tool for checking MikroTik Routers compromise

Microsoft released an open-source tool to secure MikroTik routers and check for indicators of compromise for Trickbot malware infections.

Microsoft has released an open-source tool, dubbed RouterOS Scanner, that can be used to secure MikroTik routers and check for indicators of compromise associated with Trickbot malware infections.

“This analysis has enabled us to develop a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. We published this tool to help customers ensure these IoT devices are not susceptible to these attacks.” reads the post published by Microsoft.

Recently Check Point researchers reported that the infamous TrickBot malware was employed in attacks against customers of 60 financial and technology companies with new anti-analysis features. The news wave of attacks aimed at cryptocurrency firms, most of them located in the U.S..

TrickBot is a popular Windows banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features, including powerful password-stealing capabilities.

TrickBot initially partnered with Ryuk ransomware that used it for initial access in the network compromised by the botnet. Then Ryuk was replaced by Conti Ransomware gang who has been using Trickbot for the same purpose.

In 2021, the Conti gang used in exclusive the TrickBot to achieve initial accesses in the network of organizations worldwide.

AdvInt researchers recently reported that The Conti ransomware group has taken over TrickBot malware operation and plans to replace it with BazarBackdoor malware.

The Trickbot operation has switched to using MikroTik routers as C&C servers since 2020.

Microsoft has analyzed how the malware compromised MikroTik routers and developed a tool to detect signs of compromise. The attack chain against the routers starts with brute-force attacks or by exploiting the CVE-2018-14847 flaw that allows reading a file that contains passwords.

“The attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2,” continues the post. “MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands.”

RouterOS Scanner allows users to check the device version and maps it to known vulnerabilities. It also looks for scheduled tasks, traffic redirection rules (NAT and other rules), DNS cache poisoning, default port changes, non-default users, suspicious files, as well as proxy, SOCKS and firewall rules.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RouterOS Scanner)

[adrotate banner=”5″]

[adrotate banner=”13″]