Microsoft: Here's how this notorious botnet used hacked routers for stealthy communication

Microsoft has revealed how the Trickbot trojan botnet has been using compromised MikroTik routers for stealthy communications with infected PCs.

Trickbot, known for stealing banking credentials and delivering ransomware, seemed unstoppable once. It continued to thrive despite an effort led by Microsoft in 2020 to patch millions of infected PCs and take down most of its command and control (C2) servers, with the exception of its Internet of Things (IoT) C2 devices, until it finally shut down earlier this year.

Now, Microsoft has filled in one detail about how the TrickBot gang's IoT C2 devices, namely compromised MikroTik routers, were being used since 2018 for stealthy communication with infected PCs.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Back in 2018, when many hackers were targeting CVE-2018-14847 in MikroTik's RouterOS software, security researchers found Tickbot was using compromised MikroTik routers for C2 infrastructure.

Routers are a useful C2 tool since they allow communication between C2 and Trickbot-infected PCs in a way that standard defenses can't detect. Microsoft security researchers say they have now cleared up exactly how the devices were being used in its infrastructure.

After gaining control of the router through a compromised password, Trickbot used RouterOS's SSH shell to create a set of commands that RouterOS understands but which don't make sense on normal Linux-based shells. SSH is intended to enable secure network communications over an unsecured network. The ultimate goal was to redirect the compromised router's traffic.

This command created a new network rule that redirected traffic from the infected device to a server and the redirected traffic was received from port 449 and redirected to port 80, Microsoft explains.

"The said command is a legitimate network address translation (NAT) command that allows the NAT router to perform IP address rewriting. In this case, it is being used for malicious activity. Trickbot is known for using ports 443 and 449, and we were able to verify that some target servers were identified as TrickBot C2 servers in the past," Microsoft adds.

"As security solutions for conventional computing devices continue to evolve and improve, attackers will explore alternative ways to compromise target networks. Attack attempts against routers and other IoT devices are not new, and being unmanaged, they can easily be the weakest links in the network. Therefore, organizations should also consider these devices when implementing security policies and best practices," Microsoft said. It has included details of how to find out if your routers have been affected.

Despite Trickbot's notoriety and durability, researchers at Intel 471, which was involved in the 2020 takedown, said that by February this year the Trickbot malware was on its last legs, with former developers moving on to new malware like BazarLoader and the Conti ransomware gang.

"Intel 471 cannot confirm, but it's likely that the Trickbot operators have phased Trickbot malware out of their operations in favor of other platforms, such as Emotet. Trickbot, after all, is relatively old malware that hasn't been updated in a major way. Detection rates are high and the network traffic from bot communication is easily recognized," its researchers wrote.