According to Microsoft’s Defender for IoT Research Team and Threat Intelligence Center (MSTIC) ,” TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems by using MikroTik routers as proxy servers for its C2 servers and redirecting traffic through non-standard ports.”
Microsoft stated on Wednesday that the TrickBot virus uses a previously unknown technique that involves using compromised Internet of Things (IoT) devices as a go-between for communicating with C2 servers. Even though the botnet has managed to enhance its features to make its attack framework, evade reverse engineering and preserve the reliability of its C2 servers, reports of its infrastructure falling offline have emerged.
TrickBot, which first appeared in 2016 as a banking trojan has grown into an advanced and ongoing threat, to its modular architecture which allows it to adapt its tactics to suit different networks, environments and devices, as well as provide access-as-a-service for next-stage payloads like the Conti ransomware.
The new approach discovered by MSTIC entails using compromised IoT devices, such as MikroTik routers, to establish a line of communication between the TrickBot-affected device and the C2 server. The attackers then issue a network address translation (NAT) command, which instructs the router to divert traffic between ports 449 and 80, creating a conduit for TrickBot-infected hosts to interact with the C2 server.
This also includes gaining into the routers using a mix of methods such as default passwords, brute-force attacks or exploiting a now-patched hole in MikroTik RouterOS (CVE-2018-14847) and then changing the router’s password to keep access.
Finally the researchers concluded that , “As security solutions for traditional computing devices evolve and improve. Assailants will look for new ways to breach target networks. Attacks against routers and other IoT devices are not new, and because they are unmanaged, they can easily be the network’s weakest link.”