Infoblox Threat Intel uncovered a botnet exploiting misconfigured DNS to deliver malware through spam campaigns using spoofed domains. This botnet, comprising approximately 13,000 compromised MikroTik routers, facilitates a variety of malicious activities, which include sending trojan malware and conducting phishing attacks. The actors behind this botnet are leveraging limitations in email protection techniques due to flawed SPF records. Affected: MikroTik routers, email systems, users targeted by spam and malware
Keypoints :
- Discovery of a botnet delivering trojan malware via spam campaigns.
- Use of misconfigured DNS records to bypass email protection techniques.
- Approximately 13,000 compromised MikroTik routers involved.
- Malicious emails impersonate legitimate domains, like DHL.
- ZIP files sent in malspam campaigns contain obfuscated JavaScript files.
- Trojan malware initiates connections to Command and Control (C2) servers for further actions.
- Vulnerabilities in MikroTik routers allow unauthorized access and future exploitation.
- Botnet enables large-scale malicious operations including DDoS and credential stuffing.
- Compromised routers configured as SOCKS proxies enhance anonymity of attackers.
- Misconfigured DNS SPF records allow any server to send emails on behalf of compromised domains.
MITRE Techniques :
- Command and Control (T1071): Utilized for initiating outbound connections to malware C2 server (62.133.60[.]137).
- Exploitation of Remote Services (T1210): Vulnerabilities in MikroTik routers exploited for unauthorized access.
- Credential Dumping (T1003): Facilitated by compromised routers allowing unauthorized credential access.
- Phishing (T1566): Malicious emails designed to trick recipients into downloading malware.
- Proxy (T1090): Leveraging compromised devices as SOCKS proxies to anonymize malicious activities.
Indicator of Compromise :
- [IP Address] 62.133.60.137