Vulnerable MikroTik routers were used in one of the largest cybercrime operations “botnet as a service” (botnet-as-a-service) over the past few years.
According to a new report by the information security company Avast, the currently disabled botnet for mining cryptocurrencies, the Glupteba malware and the well-known TrickBot malware were distributed from the same C&C server.
The C&C server plays the role of a “botnet as a service” and controls about 230 thousand vulnerable routers, Avast senior analyst Martin Hron explained.
The Mēris botnet exploited a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), which allows attackers to gain unauthorized remote administrative access to any vulnerable device.
“The vulnerability CVE-2018-14847 disclosed in 2018, for which MikroTik released a fix, allowed cybercriminals to seize all these routers and probably rent them out,” explained Khron.
In the chain of attacks analyzed by Avast specialists in July 2021, the attacked vulnerable MikroTik routers requested the payload of the first stage of the attack from the bestony domain[.]club, which was then used to extract additional scripts from the second globalmoby domain[.]xyz.
Both domains are associated with the IP address 116.202.93[.]14, thanks to which researchers were able to detect seven more domains that were actively used in attacks. One of them, tik.anyget[.]ru, was used to deliver Glupteba malware to the attacked hosts.
When requesting a URL https://tik.anyget[.]ru the researcher was redirected to the domain https://routers.rip/site/login (which is again hidden by the Cloudflare proxy). This is a control panel for managing hacked MikroTik routers.
However, after the details about the Mēris botnet became public in early September 2021, the C&C server suddenly stopped serving scripts, and then completely disappeared.
The disclosure also coincides with a new Microsoft report that shows how TrickBot malware used MikroTik routers for C&C communication with remote servers, which means operators could use the same botnet as the service.