Microsoft has explained in detail how Trickbot, a sophisticated trojan, has evolved significantly since its discovery in 2016, to now attack even the Internet of Things (IoT) devices.
In a post put out by the Microsoft Defender for IoT Research Team and the Microsoft Threat Intelligence Center (MSTIC), the IT giant said since the trojan’s discovery in 2016, the malware’s modular nature had allowed it to be increasingly adaptable to different networks, environments, and devices. In addition, it had grown to include numerous plug-ins, access-as-a-service backdoors for other malware like Ryuk ransomware, and mining capabilities. A significant part of its evolution also includes making its attacks and infrastructure more durable against detection, including continuously improving its persistence capabilities, evading researchers and reverse engineering, and finding new ways to maintain the stability of its command-and-control (C2) framework.
From computers to IoT devices such as routers, Trickbot had updated its C2 infrastructure to utilise MikroTik devices and modules. MikroTik routers are widely used around the world across different industries. By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems, claimed the blog post writers.
The Microsoft Defender for IoT research team had recently discovered the exact method through which MikroTik devices are used in Trickbot’s C2 infrastructure. In this blog, we will share our analysis of the said method and provide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot attacks.
This analysis has enabled Microsoft to develop a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. The IT company published this tool to help customers ensure these IoT devices are not susceptible to these attacks.
In the post, Microsoft also shared recommended steps for detection and remediating compromise if found, as well as general prevention steps to protect against future attacks.
Image credit: Microsoft