Microsoft has revealed how the Trickbot trojan botnet has been using compromised MikroTik routers for stealthy communications with infected PCs.
Trickbot, known for stealing banking credentials and delivering ransomware, seemed unstoppable once. It continued to thrive despite an effort led by Microsoft in 2020 to patch millions of infected PCs and take down most of its command and control (C2) servers, with the exception of its Internet of Things (IoT) C2 devices, until it finally shut down earlier this year.
Now, Microsoft has filled in one detail about how the TrickBot gang’s IoT C2 devices, namely compromised MikroTik routers, were being used since 2018 for stealthy communication with infected PCs.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
Back in 2018, when many hackers were targeting CVE-2018-14847 in MikroTik’s RouterOS software, security researchers found Tickbot was using compromised MikroTik routers for C2 infrastructure.
Routers are a useful C2 tool since they allow communication between C2 and Trickbot-infected PCs in a way that standard defenses can’t detect. Microsoft security researchers say they have now cleared up exactly how the devices were being used in its infrastructure.
After gaining control of the router through a compromised password, Trickbot used