The TrickBot malware, a sophisticated and persistent malware that was originally designed as a banking trojan in 2016, was discovered to be using compromised Internet of Things (IoT) devices as proxies for establishing communications with its Command-and-Control (C2) servers. Compromised MicroTik routers and devices are specifically being used as the proxy mechanism for TrickBot, allowing the threat actors to further hide their activity from defenders.
The threat actors initially compromise these MicroTik devices through any number of means, including default passwords, brute-force attacks, or exploiting vulnerabilities within the device itself. One such vulnerability includes a now-patched flaw, tracked as CVE-2018-14847, in MicroTik’s RouterOS which allowed unauthenticated remote attackers to read and write arbitrary files to the device and take it over. After the compromise, the TrickBot actors were seen changing the router’s password to maintain access. Once this has been completed, the threat actors create a new NAT rule on the device to redirect traffic coming in on port 449 to another IP address where the real C2 server exists.
By using compromised IoT devices as proxies, the threat actors are able to better hide their real C2 servers from defenders and security tools and prevent blocks or takedowns of critical infrastructure.