Threat Watch

TrickBot Malware Abusing MicroTik Routers as Proxies for Command-and-Control

The TrickBot malware, a sophisticated and persistent malware that was originally designed as a banking trojan in 2016, was discovered to be using compromised Internet of Things (IoT) devices as proxies for establishing communications with its Command-and-Control (C2) servers. Compromised MicroTik routers and devices are specifically being used as the proxy mechanism for TrickBot, allowing the threat actors to further hide their activity from defenders.

The threat actors initially compromise these MicroTik devices through any number of means, including default passwords, brute-force attacks, or exploiting vulnerabilities within the device itself. One such vulnerability includes a now-patched flaw, tracked as CVE-2018-14847, in MicroTik’s RouterOS which allowed unauthenticated remote attackers to read and write arbitrary files to the device and take it over. After the compromise, the TrickBot actors were seen changing the router’s password to maintain access. Once this has been completed, the threat actors create a new NAT rule on the device to redirect traffic coming in on port 449 to another IP address where the real C2 server exists.

By using compromised IoT devices as proxies, the threat actors are able to better hide their real C2 servers from defenders and security tools and prevent blocks or takedowns of critical infrastructure.


Microsoft has released a RouterOS scanner tool that can help detect whether or not an organization’s MicroTik devices have been compromised. It also helps identify weak points, such as known vulnerabilities or old RouterOS versions, in devices that may be used by malicious users to take it over. It is highly recommended for users with MicroTik devices to run this tool against their device to determine if it has been compromised or is susceptible to a compromise. If any findings are reported, it is recommended to take immediate action on them to help secure the device. Likewise, it is recommended to follow best practices when utilizing IoT devices such as:
• Changing the default password for the built-in user
• Using strong passwords for all users on the device and implementing password rotation
• Preventing management interfaces, such as web or SSH, from being accessible from the Internet
• Keeping the device’s firmware up-to-date to prevent it from being vulnerable to known exploits
Following these guidelines will help prevent a device from being compromised remotely from a malicious user.

Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure