Botnet Malware Controls Over 200,000 MicroTik Routers Globally

Botnet malware controls over 200,000 microtik routers globally

According to a recent report by cybersecurity experts, susceptible MikroTik routers were exploited to form one of the largest botnet-as-a-service cybercrime operations seen in recent times.

According to a new Avast report, a cryptocurrency mining campaign using the newly disrupted Glupteba botnet and the infamous TrickBot malware were all distributed via the same command-and-control (C2) server.

“The C2 server serves as a botnet-as-a-service controlling nearly 200,000 vulnerable MikroTik routers,” Avast’s senior malware expert, Martin Hron, said, linking it to what’s now known as the Mēris botnet. The botnet normally exploits a known unprotected part in the Winbox component of MikroTik routers (CVE-2018-14847), allowing the cybercriminals to get remote administrative control of the affected devices.

“The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service,” Hron said.

Avast observed an attack chain in July  last year that targeted susceptible MikroTik routers to collect the first-stage payload from a domain called bestony[.]club, which was once used to obtain additional scripts from another domain “globalmoby[.]xyz.”

Surprisingly, the two domains were linked to the very same IP address: 116.202.93[.]14, leading to the discovery of 7 other domains actively used in breaches, one of which (tik. anyget[.]ru) supplied Glupteba malware samples to targeted devices.

“When requesting the URL https://tik.anyget[.]ru I was redirected to the domain (which is again hidden by the Cloudflare proxy),” Hron said. “This is a control panel for the orchestration of enslaved MikroTik routers,” with the page showing displaying several live devices connected to malware.

However, after information about the Mris botnet became public in early September 2021, the C2 server abruptly stopped serving scripts before disappearing entirely.

The revelation also corresponds with a new Microsoft study showing how the TrickBot malware has weaponized MikroTik routers as proxies for command-and-control communications with remote servers, raising the possibility that the operators used the same botnet-as-a-service.

In light of these breaches, users should update their routers with the most recent security patches, create a strong router password, and disable the router’s administration interface from the public side. This article about strong passwords has handy tips on how to come up with robust and unique passwords.

“It also shows, what is quite obvious for some time already, that IoT devices are being heavily targeted not just to run malware on them, which is hard to write and spread massively considering all the different architectures and OS versions, but to simply use their legal and built-in capabilities to set them up as proxies,” Hron said. “This is done to either anonymize the attacker’s traces or to serve as a DDoS amplification tool.”

Did you enjoy this article? To read more exclusive content, follow us on YouTube, Twitter, LinkedIn, or through our social profiles.

Josh Breaker

Josh is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits, and security defenses, as well as research and innovation in information security. I have also written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix.

Recent Posts