Infected routers get backdoored and set up as cryptojackers

Oct 12, 2018 18:30 GMT  ·  By  ·  Comment  · 

MikroTik, a Latvian routers and ISP wireless system maker, had quite a bad year with their routers suffering from several different security vulnerabilities which allowed attackers to enroll them in cryptojacking campaigns and huge botnets of hundreds of thousands of devices. 

It seems that Mikrotik can't catch a break seeing that Malwarebytes Labs found out today about a new malware campaign involving MikroTik routers designed once again to infect them with a CoinHive miner payload and set them up for a new cryptojacking career.

More exactly, attackers are able to compromise MikroTik's routers using malicious tools designed to exploit the CVE-2018-14847 authentication bypass vulnerability in routers running RouterOS up to 6.42 and the CVE-2018-7445 buffer overflow bug in RouterOS up to 6.41.3/6.42rc27.

The threat actors behind the new MikroTik malware campaign first discovered by @VriesHd and analyzed in more detail by Malwarebytes Labs exploits the CVE-2018-14847 path traversal vulnerability, bypassing authentication and reading arbitrary files available on the router.

All compromised MikroTik routers will be configured to surreptitiously mine for cryptocurrency

The attackers use fake browser update notifications sent from infected MikroTik routers and linking the victims to a browser update installer server from an FTP server which drops the malicious payload designed to compromise the device.

The end goal is to tamper with the router's settings and setting up a CoinHive-powered mining error page which will be displayed on each HTTP request in an iframe allowing the user to browse the web without noticing the CoinHive miner working in the background.

Each of the infected MikroTik routers during this campaign will also start scanning for other vulnerable MikroTik devices, giving a helping hand to the cybercriminals in spreading their CoinHive miner to more and more machines.

"MikroTik users are urged to patch their routers as soon as possible and should assume that their authentication credentials have been compromised if they are running an outdated version," says Malwarebytes Labs. "MikroTik’s download page explains how to perform an upgrade to RouterOS."

Photo Gallery (3 Images)

MikroTik botnet attack
MikroTik routers serving the fake update pageThe update page serving the fake browser updater
Open gallery
  Click to load comments
This enables Disqus, Inc. to process some of your data. Disqus privacy policy

Related Stories

Fresh Reviews

Latest News