Microsoft Outsmarts Trickbot With RouterOS Scanner
RouterOS Scanner – Open Source, Free To Use And A Must For MicroTik Owners
Trickbot has been causing headaches for IT security professionals for quite some time now, as it is a well designed and highly obfuscated suite of tools to infect machines with malware and ransomware. It has been very effective at taking over IoT devices as well as computers and thanks to it’s modular design and obfuscated C2 servers it has been all but impossible to shut down; instead growing since it’s first incarnation back in 2016.
One of the key tools the malicious hooligans behind Trickbot are MikroTik devices which use their own Linux-based RouterOS which they can take advantage of. RouterOS accepts remotely piped commands over SSH, which can be handy if you know what you are doing but a nightmare if you aren’t even familiar enough with them to change the default password. That has allowed Trickbot to recruit hordes of MikroTik devices to help hide the location of the C2 servers. Instead of a compromised machine phoning home directly, they can set up a rule on a MikroTik router to receive data from compromised computers through port 449 and then redirect the data through port 80 to the actual TrickBot command server, making it very difficult to trace.
There is good news today however, as Microsoft released an open source tool called RouterOS Scanner which will help greatly in reducing Trickbot’s footprint. RouterOS Scanner can be grabbed from GitHub and easily run to scan MikroTik devices for a variety of things, from checking the OS version to see which specific vulnerabilities apply to the device, scanning for non-default users and detecting traffic redirection as well as other tools.
If you have a MikroTik device or know someone who does, grab RouterOS and run a scan as a favour to everyone who makes use of the internet.
Microsoft has published a tool that scans for and detects MikroTik-powered Internet-of-Things devices that have been hijacked by the Trickbot gang.