Prometheus ransomware
CyberDaily: Cybersecurity News

Mikro Tik’s vulnerable routers have been used in one of the largest botnet-as-a-service cybercrime, according to cybersecurity researchers. 

Avast published a new piece of research that states a cryptocurrency mining attack using the new-disrupted Glupteba botnet and the infamous TrickBot malware spread through the same command-and-control (C2) server. 

“The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers,” Avast’s senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what’s now called the Mēris botnet.

The botnet exploits a vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), and the botnet allows the attackers to access without authorization administrative functions on the affected device. In late September 2021, parts of the Meris botnet were sinkholed. 

“The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service,” Hron said.

Avast observed the attack that used vulnerable Mikro Tik routers; the attackers obtained the first-stage payload from a domain named bestony[.]club, and the payload was used to get  additional scripts from a second domain “globalmoby[.]xyz.”

Remarkably, both the domains were linked to the same IP address: 116.202.93[.]14, and that led to the tracking of seven more domains that were part of attacks, and one among them served as Glupteba malware samples for targeting hosts. 

“When requesting the URL https://tik.anyget[.]ru I was redirected to the domain (which is again hidden by the Cloudflare proxy),” Hron said. “This is a control panel for the orchestration of enslaved MikroTik routers,” with the page displaying a live counter of devices connected into the botnet.

However, once the Meris botnet details were available in the public domain, the C2 server rapidly stopped hosting scripts before vanishing. 

The disclosure also happened at the same time when Microsoft revealed how TrickBot malware had weaponized MikroTik routers as proxies for command-and-control communications with the remote servers.

These attacks have led to advisories being issued that ask users to update their routers, set up a strong router password, and disable the router’s administration interface from the public side.

“It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies,” Hron said. “This is done to either anonymize the attacker’s traces or to serve as a DDoS amplification tool.”