Pierluigi Paganini
January 16, 2025
Infoblox researchers discovered a botnet of 13,000 MikroTik devices that exploits DNS misconfigurations to bypass email protections, spoof approximately 20,000 domains, and deliver malware.
In late November, the experts spotted a malspam campaign impersonating DHL which used emails about freight invoices, attaching zip files named “Invoice###.zip” or “Tracking###.zip” containing malware.
The zip archive contains an obfuscated JavaScript file, which creates and executes a PowerShell script that connects to the C2 (62.133.60[.]137), which has a suspicious history related to “prior Russian activity.”
The analysis of the headers of the spam messages revealed a botnet of ~13,000 hijacked MikroTik devices, forming a network capable of executing large-scale malicious activities.
The researchers found that the botnet comprises MikroTik routers with various firmware versions, including recent ones. Over the years, multiple security experts have identified several vulnerabilities in MikroTik routers, such as a remote code execution vulnerability detailed by VulnCheck researchers here.
The botnet uses compromised MikroTik devices as SOCKS proxies, masking malicious traffic origins and enabling other actors to exploit them without authentication, amplifying its scale. The botnet’s SOCKS proxy setup enables access for hundreds of thousands of compromised machines.
“Regardless of how they’ve been compromised, it seems as though the actor has been placing a script onto the devices that enables SOCKS (Secure Sockets), which allow the devices to operate as TCP redirectors.” reads the report published by Infoblox. “Enabling SOCKS effectively turns each device into a proxy, masking the true origin of malicious traffic and making it harder to trace back to the source. Another significant concern is that the lack of authentication required to use these proxies makes individual devices, or the entire botnet, available for other actors to exploit.”
The botnet size enables diverse attacks, from DDoS to phishing, spreading malware via SOCKS proxies, and amplifying C2 operations while masking attackers’ identities.
The researchers discovered that botnet operators exploit an improperly configured DNS record for the sender policy framework (SPF) that is used to list addresses that can send emails for their domains. The SPF information is included in the domain’s DNS records as a TXT record.
When a user sends an email, the receiving mail server checks the SPF record to verify that the message is coming from a server that is authorized to send it.
“The malspam campaign we investigated was large in scope, involving approximately 20,000 sender domains. Although the domain owners configured SPF, they were configured such that any address can send emails for their domains.” continues the report. “This DNS misconfiguration could have been done by accident, or as a malicious modification by a threat actor with access to the domain’s registrar account. Either way, the consequence is that any device can spoof the legitimate domain in email.”
It is unclear if the DNS misconfiguration has been done by accident, or a threat actors has done it by accessing the domain’s registrar account.
A correctly configured SPF record specifies authorized email servers (e.g., v=spf1 include:example.com -all) and denies others. Misconfigured records, like +all, allow any server to send emails for a domain, enabling spoofing.
“The malspam campaign that led to this discovery exploited misconfigurations in DNS SPF records, allowing the threat actor to bypass traditional email protection measures.” concludes the report. “This underscores the importance of proper DNS configurations and regular audits of security settings, including the accessibility of your devices to the outside world, to prevent such vulnerabilities.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MikroTik botnet)
