Full Report
A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. "This
Analysis Summary
# Tool/Technique: Mikro Typo Botnet (MikroTik Hijacking)
## Overview
A botnet campaign, codenamed **Mikro Typo**, has been discovered leveraging approximately 13,000 compromised MikroTik routers globally to send large volumes of **malicious spam (malspam)**, specifically exploiting misconfigured DNS records like Sender Policy Framework (SPF) to bypass email protection techniques. The ultimate goal appears to be the delivery of malicious payloads.
## Technical Details
- Type: Botnet leveraging compromised infrastructure
- Platform: MikroTik Routers (RouterOS)
- Capabilities: Functions as a proxy network via SOCKS (TCP redirector), used for sending spam, masking source IP origins, and facilitating general cyberattacks.
- First Seen: Late November 2024 (for the related malspam campaign).
## MITRE ATT&CK Mapping
This summary maps the observed actions on the compromised devices and the resulting spam campaign:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 communication)
- **TA0008 - Lateral Movement**
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy (Implied use of router network as proxies)
- **TA0001 - Initial Access** (Method of compromise is unknown but potentially related to known vulnerabilities)
- T1190 - Exploit Public-Facing Application (Potential vector via unpatched vulnerabilities like CVE-2023-30799)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Used to run scripts after initial payload execution)
## Functionality
### Core Capabilities
- **Spam Propagation:** Sending malicious emails designed to appear as if they originate from legitimate domains by exploiting misconfigured SPF records.
- **Payload Delivery:** Utilizing freight invoice-related lures to trick recipients into opening a ZIP archive containing an obfuscated JavaScript file, which subsequently executes a PowerShell script.
- **C2 Communication:** Initiating outbound connections to a Command-and-Control (C2) server after initial payload execution.
### Advanced Features
- **Proxy Functionality:** The attacker installs a script on the compromised MikroTik devices enabling **SOCKS** (Secure Sockets), turning each router into a **TCP redirector** or proxy.
- **Anonymity:** The proxy setup effectively masks the true origin of malicious traffic, making tracing back to the original threat actor difficult.
- **Weaponization Flexibility:** The lack of authentication on the SOCKS proxies allows other threat actors to potentially use the compromised devices for various malicious purposes, including DDoS attacks or phishing campaigns.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in detail]
- File Names: ZIP archive payload, obfuscated JavaScript file, PowerShell script.
- Registry Keys: [Not applicable/provided for router firmware]
- Network Indicators:
- C2 IP Address: `62[.]133[.]60[.]137`
- Behavioral Indicators:
- Execution of JavaScript leading to PowerShell execution.
- Outbound connections to the identified C2 IP.
- Enabling of SOCKS service/TCP redirector functionality on the MikroTik device.
## Associated Threat Actors
- A Russian botnet operator (Inferred from context surrounding similar botnets and research by Infoblox).
## Detection Methods
- Signature-based detection: Detecting the known C2 IP address and potential signatures associated with the specific malware loader/script (JavaScript/PowerShell).
- Behavioral detection: Monitoring for unusual network behavior on routers, unauthorized enabling of SOCKS services or remote proxy configurations.
- YARA rules: [Not explicitly provided]
## Mitigation Strategies
- **Patching:** Updating MikroTik RouterOS firmware immediately to mitigate known vulnerabilities, such as those targeted by privilege escalation issues like **CVE-2023-30799**.
- **Authentication/Configuration Hardening:** Reviewing and enforcing strong authentication mechanisms on router management interfaces. Ensuring that services like SOCKS proxies are not inadvertently enabled or left unsecured.
- **Email Security:** Implementing robust email filtering and training users to be wary of lures related to invoices or unexpected attachments (ZIP archives).
- **Network Monitoring:** Monitoring outbound traffic from routers for unexpected connections to external C2 infrastructure.
## Related Tools/Techniques
- Previous MikroTik botnet activity (mentioned in context).
- Exploitation of **CVE-2023-30799** (privilege escalation vulnerability).
- Use of **SPF misconfigurations** to bypass email security controls.