More than 200,000 MicroTik routers worldwide are controlled by botnet malware

Recently, experts said that MikroTik routers controlled by botnets are one of the biggest cybercrime activities they have seen in recent years. According to a new study released by Avast, both the Glupteba botnet and the cryptocurrency mining activities of the infamous TrickBot malware were distributed using the same command and control (C2) servers. Martin Hron, a senior malware researcher at Avast, said, “Nearly 230,000 vulnerable MikroTik routers are controlled by botnets. ”

This botnet exploits a known vulnerability in the Winbox component of the MikroTik router (CVE-2018-14847), allowing attackers to gain unauthenticated remote administrative access to any affected devices. Part of the Mēris botnet was bottling in late September 2021. In response, Hron said: “The CVE-2018-14847 vulnerability was announced in 2018, and although MikroTik has released a fix for the vulnerability, criminals can also use it to control the router.”

In the chain of attacks observed by Avast in July 2021, vulnerable MikroTik routers take the domain name bestony[.] The first echelon retrieved in the club is targeted, and the script is then used for globalmoby[.] xyz。 Interestingly, both domains are linked to the same IP address: 116.202.93[.] 14, which led to the discovery of seven other domains actively used for attack, one of which (tik.anyget[.] ru) is used to provide Glupteba malware samples to targeted hosts. “When requesting a URL https://tik.anyget [.] I was redirected to (again hidden by the Cloudflare proxy),” Hron said, “a control panel for orchestrating enslaved MikroTik routers,” which shows the number of live devices connected to the botnet.

But after the details of the Mēris botnet entered the public domain in early September 2021, command and control servers were said to have suddenly stopped providing scripts. The disclosure also coincides with a new report from Microsoft revealing how the TrickBot malware weaponized the MikroTik router, which increased the likelihood that operators would use the same botnet as a service.

In light of these attacks, users are advised to update their routers with the latest security patches, set strong router passwords, and disable the router’s management interface from the public side. “Their goal is not to run malware on IoT devices, because based on different architectures and operating system versions make malware not only difficult to write but also difficult to spread at scale,” Hron said, “in order to hide the attacker’s tracks or use as a tool for DDoS attacks.” ”