Instances involving compromised devices, botnets, and vulnerabilities have become ordinary occurrences. This makes sense given the increased connectivity today, but ask yourself: What is the most common internet-of-things (IoT) device across network infrastructures, whether in homes or businesses? Answer: the router.
Even before the term IoT was coined, we had the routers at the gateway, most of the time publicly exposed on the internet. In the context of the IoT, the router is perhaps the most important device for the whole infrastructure. All traffic goes through it and it allows for the provision of many services, such as Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), content filtering, firewalls, and Voice over Internet Protocol (VoIP), to all connected devices, including computers, smartphones, and IP cameras.
If an attacker is able to compromise the router, every device connected to it can be affected. And that’s what a hacking group in Brazil just did.
In addition to recent reports of MikroTik and other IoT devices being used as part of a botnet or a scanning activity, we’ve discovered that criminals in Brazil are again targeting users of the network infrastructure behind router devices.
The malware in question
On March 26, I got an interesting piece of malware from a contact in the form of a script designed to run in RouterOS. This operating system is developed by MikroTik, which is a manufacturer of routers for consumer and professional use.
In this case, the malware first makes a GET request to a command-and-control (C&C) server at hxxp://smilelikeyoumeanit2018[.]com[.]br/contact-server/, notifying it is a new victim that was just compromised as the GET request reveals the origin IP. It does that using a built-in command in RouterOS.
Figure 1. Tool used to connect to URL
The C&C domain was registered using a temporary webmail, a measure that may make tracing criminal activity harder.
After the initial request command, the script uses a function called calculateStr() to decode a hardcoded domain.
Figure 2. calculateStr() function
This function actually just reverses the string and replaces the last six characters with .ntr.br. This was easy enough to replicate in bash environment using built-in and well-known command-line tools.
Figure 3. Reversed string
Following this function, there is another function that adds several DNAT (Destination Network Address Translation) rules to the device’s firewall. These rules forward all DNS requests made to a foreign address, obtained from the DNS resolution of the sads321ewq[.]ntr[.]br domain. At the time of writing, this domain has already been taken down.
Figure 4. Addition of DNAT rules
Consequently, the entire network behind the router that is infected with this malware would then be resolving domain names using a malicious DNS server, unless a manual DNS server address is set and the router is not used as a DNS server. We don’t know which domains the malware targeted, but we highly suspect that online banking domains were involved, as in the past.
How the infection was possibly carried out
It is likely that there is a piece of first-stage malware that is infecting other MikroTik devices, acting like a worm between routers. Like any other IoT device, MikroTik devices are not free from having vulnerabilities. Apart from the public CVEs, we recently saw the publication of exploits for Chimay Red and a Server Message Block (SMB) buffer overflow vulnerability. So it is highly possible that the group behind this attack used one or more of these exploits.
Figure 5. MikroTik-related published vulnerabilities
We believe that the criminal group also used the infected devices to infect other similar devices in the same network and also those on the internet. That’s likely when a second-stage payload comes in, but unfortunately we were not able to get it. The domain was quickly taken down, so we cannot say for certain what the payload was supposed to be.
Turning the victim into a proxy
The C&C server could also receive a GET request at /index.php?modulo=get, and it would reply with an IP of a MikroTik device that is likely to have been recently infected, followed by the TCP port 20183 to be used as a proxy server. We observed routers in Brazil and Japan contacting this path.
An interesting thing is that the port TCP 20183 is not meant to be open by default in MikroTik routers, but most of the infected devices had an open working proxy listening on it. So we believe that apart from infecting DNS settings, this campaign also intended to use the devices as proxies for other attacks. In fact, we found a proxy list that contained most of the IP addresses we observed to be infected.
Figure 6. List of proxy addresses
Conclusion and recommendations
We don’t exclude the possibility that this campaign is part of a botnet attack — perhaps one of those reported recently — but these infections seem to have two clear objectives: To change the DNS settings of infected routers and use them as proxies, probably to support other malware campaigns, and to perform phishing attacks using malicious DNS resolutions and so on. As we said at the beginning, this affects all the devices connected to the routers, including phones, laptops, IoT devices, and even other routers.
We highly recommend keeping routers and all connected devices updated to the latest firmware versions and avoiding unintended exposure by following these practices:
- Enable password protection on routers and connected devices.
- Replace factory default passwords with strong, hard-to-guess ones to avoid brute-force or dictionary attacks.
- Modify default settings according to the features that best suit user needs while still keeping privacy and security intact.
- Enable the firewall for added protection and use the Wi-Fi Protected Access II (WPA2) security protocol.
- Regularly check DNS settings to spot anything suspicious in the network.
Users can also opt for security solutions that can monitor internet traffic between the router and all connected devices and can help prevent potential network intrusions through virtual patching and default or weak password detection.