Huge “zombie” MikroTik router botnet spreads malware and obscures Russian hackers


Cybercriminals with links to Russia are running a large-scale hacking operation, sending spoofed emails and delivering trojan malware. They’re hiding behind a smokescreen – a botnet of at least 13,000 compromised MikroTik internet routers acting as proxies.

Infoblox researchers uncovered a large-scale hacking operation run by Russian-linked cybercriminals.

Tens of thousands of spam emails seemingly originating from legitimate domains bypass protections. But how?

ADVERTISEMENT

Hackers chose servers with DNS misconfigurations and spoofed spam using a massive network of relays—13,000 compromised MikroTik internet routers configured as SOCKS proxies. When a compromised proxy forwards traffic without checking its origin, the receiving victim has no way of checking if it comes from the original source. Also, hackers found many misconfigured domains.

In total, the campaign involved 20,000 sender domains (web servers’ names).

“The headers of the many spam emails revealed a vast array of domains and SMTP server IP addresses, and we realized we had uncovered a sprawling network of approximately 13,000 hijacked MikroTik devices, all part of a sizeable botnet,” Infoblox threat researcher David Brunsdon writes.

“Together, they form a large cannon, poised and ready to unleash a barrage of malicious activities.”

Zombie routers act as anonymity shields

For comparison, the Tor network, one of the largest deployed anonymity networks used by millions of people, has around 8,000 relays. The discovered botnet is over 1.5 times the size of that.

This network of MikroTik routers relays malicious emails designed to look like legitimate domains, but it’s also likely used for a wide range of other malicious activities.

“It seems as though the actor has been placing a script onto the devices that enable SOCKS (Secure Sockets), which allow the devices to operate as TCP redirectors. Enabling SOCKS effectively turns each device into a proxy, masking the true origin of malicious traffic and making it harder to trace back to the source,” the Infoblox report reads.

ADVERTISEMENT

What is even more concerning is that the botnet lacks authentication – the entire botnet or even individual devices are open for other hackers to exploit.

“Their configuration as SOCKS proxies allows tens or even hundreds of thousands of compromised machines to use them for network access, significantly amplifying the potential scale and impact of the botnet’s operations,” Infoblox said.

It’s not exactly clear how the MikroTik routers were compromised. While several critical vulnerabilities have been identified in the past, recent firmware releases have also contributed to the botnet.

The researcher explains that similar botnets typically participate in DDoS attacks, spam and phishing campaigns, credential stuffing attacks, data theft, cryptojacking, click fraud, and other malicious activities.

Shadowserver Foundation data of publicly exposed routers reveal that MikroTik is the most popular brand in Russia. MikroTik is a Latvian network equipment manufacturer.

infoblox-research

Owners of 20,000 domains misconfigured DNS records

Normally, hackers can’t bypass email filters and protections when email domain settings are configured correctly. However, in this campaign, hackers exploit a simple mistake in how the email domains are set up. They abuse servers with misconfigured Sender Policy Framework (SPF).

“When a user sends an email, the receiving mail server checks the SPF record to verify that the message is coming from an authorized server. If the email fails this check, it is more likely to be marked as spam or rejected,” the researcher explains.

Stefanie justinasv vilius jurgita
Get our latest stories today on Google News
ADVERTISEMENT

Anyone can check the SPF information published in the domain’s DNS records.

A good example would be to specify the trustworthy domains and exclude the rest, like this:

v=spf1 include:example.com -all

However, hackers scanned and found 20,000 domains that allowed all servers to send emails on behalf of those domains. The ‘bad’ SPF record would have a ‘+all’ flag at the end, like here:

v=spf1 include:example.com +all

“This essentially defeats the purpose of having an SPF record because it opens the door for spoofing and unauthorized email sending,” the report explains.

The researcher suggests that users check the SPF record themselves when in doubt.

The malicious emails contained fake freight invoices and included a zip file containing a malicious payload – but social engineering tactics change frequently. The attached trojan communicated to a command and control server that was previously related to suspicious Russian activity.

“This underscores the importance of proper DNS configurations and regular audits of security settings, including the accessibility of your devices to the outside world, to prevent such vulnerabilities.”

ADVERTISEMENT