Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Releases Open Source Tool for Securing MikroTik Routers

Microsoft this week released an open source tool that can be used to secure MikroTik routers and check for signs of abuse associated with the Trickbot malware.

Microsoft this week released an open source tool that can be used to secure MikroTik routers and check for signs of abuse associated with the Trickbot malware.

TrickBot is a piece of malware that has been around since 2016. It was initially a banking trojan designed to steal financial data, but it has evolved into a modular stealer that can target a wide range of information.

Some researchers believe the malware has reached its limits — the vast amount of available IoCs make it easy to detect — and that its development team has been “acquired” by the notorious Conti ransomware group.

However, the malware appears to be operational, with some cybersecurity firms still seeing significant campaigns aimed at the customers of tens of high-profile companies.

Trickbot operators have been abusing MikroTik routers for command and control (C&C) purposes for a long time, leveraging them as proxies for C&C servers in an effort to evade detection. Trickbot’s abuse of MikroTik products was highlighted back in 2020, after the malware survived a takedown attempt led by Microsoft.

Microsoft now says its researchers have determined exactly how MikroTik routers are abused and the tech giant has created a tool that can be used to check these devices for signs of Trickbot-related hacking.

According to Microsoft, the attackers first compromise MikroTik routers, typically by using default passwords, through brute-force attacks, or by exploiting an old vulnerability to read a file that contains passwords.

“The attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2,” Microsoft explained. “MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands.”

The open source tool made available by Microsoft this week has been named RouterOS Scanner and it has been described as a forensics tool for MikroTik devices. The tool can look for weaknesses and suspicious properties that could indicate the device has been compromised.

Specifically, the tool checks the device version and maps it to known vulnerabilities. It also looks for scheduled tasks, traffic redirection rules, DNS cache poisoning, default port changes, non-default users, suspicious files, as well as proxy, SOCKS and firewall rules.

The tool’s source code is available on GitHub.

Related: Emotet Using TrickBot to Get Back in the Game

Related: GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies

Related: Target Open Sources Web Skimmer Detection Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...