Trickbot has been evolving continually with its capabilities even with a lot of efforts to stop it. It has managed to survive several preventive measures ever since its discovery in 2016. One of the major reasons for its persistence in recent years is because of its capability to adapt to different networks, devices, and environments.
Its evolution has given several new plugins and access-as-a-service backdoors for malware like Ryuk ransomware and also certain mining capabilities. Another major evolutionary reason is its attack and durability which includes evasion from researchers, withstanding ability against detection, and also finding unique ways to maintain Command and Control over the network.
Now Trickbot has evolved from computers to the Internet of Things (IoT) devices. Devices like routers such as MikroTik are vulnerable to Trickbot’s C2 infrastructure. MikroTik routers are used widely by many industries.
It has a Linux-like OS called RouterOS. Trickbot redirects the traffic from one port to another after infecting the routers. This helps in the evasion of malicious IPs from detection security systems.
Compromising of MikroTik Devices
Attackers hack the MikroTik devices by acquiring their credentials by using various methods that include default MikroTik passwords, Brute Force attacks, and the exploitation of CVE-2018-14847 on devices with Older RouterOS versions. After gaining access, SSH Shell commands are used to send a command to the router which reroutes the traffic from one port to the other.
This establishes the communication to the C2 server. Another main motto of hacking MikroTik routes is creating a line of infected devices which will make the detection more complicated.
Microsoft has published a tool that helps customers to ensure suspicious properties and weak security points that need to be fixed on the router.
Redirection of Traffic
Microsoft Threat Intelligence Team has provided several remediations and detection methods. Some of them are,
- Change Default password
- Port 8291 should be blocked from external access
- SSH port must be changed from the default port 22
- Routers must be up-to-date
- Using a VPN to access the router is another great practice.