Microsoft releases open source Trickbot scanner for Mikrotik routers

By on
Microsoft releases open source Trickbot scanner for Mikrotik routers
Source: Mikrotik

Botnet remains a serious threat worldwide.

Microsoft's Defender for Internet of Things Research Team and Threat Intelligence Centre have jointly released an open source forensic tool for popular Mikrotik routers that have been hacked to act as proxy servers for the Trickbot malware gang.

The researchers found that attackers who have several ways of to access Mikrotik routers were able to use commands specific to the Latvian vendor's RouterOS operating system (preceded by the "/" character), to redirect traffic to and from Trickbot command and control servers.

With the help of Microsoft's routeros-scanner tool, administrators can obtain device version identifiers, and map them to Common Vulnerabilities and Exposures (CVEs) indexes.

The tool also lets administrators check for scheduled tasks, traffic redirection rules, domain name system cache poisoning, default ports changes, suspicious files, non-default user accounts, and rules that set up proxying and change the device firewall settings.

Internet-reachable Mikrotik routers have been on hackers' radars for several years now. 

The Latvian router vendor suffered a major RouterOS vulnerability in 2018, which led to login credentials being captured.

Microsoft said that a vulnerability that security vendor Tenable produced a proof-of-concept for affects RouterOS older than version 4.2, and allows attackers to read arbitrary files on Mikrotik routers, such as user.dat which contains device passwords.

A search for Mikrotik routers connected to the internet via the Shodan.io scanning site showed just over 77,000 devices in Australia and New Zealand, and more than 3.3 million worldwide.

Built on the earlier Dyre malware, Trickbot is considered one of the world's most dangerous botnets, and is often used to deliver ransomware payloads.

Microsoft security engineers have cooperated with law enforcement worldwide to take down Trickbot infrastructure, resulting in some of the malware coders being arrested and extradited to the United States to stand trial.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Log In

  |  Forgot your password?