Microsoft this week released an open source tool that can be used to secure MikroTik routers and check for signs of abuse associated with the Trickbot malware.
TrickBot is a piece of malware that has been around since 2016. It was initially a banking trojan designed to steal financial data, but it has evolved into a modular stealer that can target a wide range of information.
Some researchers believe the malware has reached its limits — the vast amount of available IoCs make it easy to detect — and that its development team has been “acquired” by the notorious Conti ransomware group.
However, the malware appears to be operational, with some cybersecurity firms still seeing significant campaigns aimed at the customers of tens of high-profile companies.
Trickbot operators have been abusing MikroTik routers for command and control (C&C) purposes for a long time, leveraging them as proxies for C&C servers in an effort to evade detection. Trickbot’s abuse of MikroTik products was highlighted back in 2020, after the malware survived a takedown attempt led by Microsoft.
Microsoft now says its researchers have determined exactly how MikroTik routers are abused and the tech giant has created a tool that can be used to check these devices for signs of Trickbot-related hacking.
According to Microsoft, the attackers first compromise MikroTik routers, typically by using default passwords, through brute-force attacks, or by exploiting an old vulnerability to read a file that contains passwords.
“The attackers then issue a unique command that redirects traffic between two ports in the router, establishing the line of communication between Trickbot-affected devices and the C2,” Microsoft explained. “MikroTik devices have unique hardware and software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise in RouterOS SSH shell commands.”
The open source tool made available by Microsoft this week has been named RouterOS Scanner and it has been described as a forensics tool for MikroTik devices. The tool can look for weaknesses and suspicious properties that could indicate the device has been compromised.
Specifically, the tool checks the device version and maps it to known vulnerabilities. It also looks for scheduled tasks, traffic redirection rules, DNS cache poisoning, default port changes, non-default users, suspicious files, as well as proxy, SOCKS and firewall rules.
The tool’s source code is available on GitHub.
Related: Emotet Using TrickBot to Get Back in the Game
Related: GitLab Releases Open Source Tool for Hunting Malicious Code in Dependencies