13,000 MikroTik Routers Co-opted into Botnet for Malicious Spam and Cyberattacks

January 21, 2025

A botnet made up of approximately 13,000 commandeered MikroTik routers has been used to distribute malware through spam campaigns. This is just the latest in a series of botnets that are powered by MikroTik devices. Infoblox security researcher David Brunsdon explained in a technical report that the botnet "take[s] advantage of misconfigured DNS records to pass email protection techniques."

The botnet, which Infoblox has codenamed Mikro Typo, uses hijacked routers to send malicious emails that mimic those from legitimate domains. The discovery of this campaign came about as a result of a malspam campaign detected in late November 2024. The campaign used freight invoice-related lures to trick recipients into opening a ZIP archive payload. This ZIP file contains an obfuscated JavaScript file which triggers a PowerShell script that establishes an outbound connection to a command-and-control (C2) server.

The exact method used to breach the routers remains unknown, but several firmware versions, including those susceptible to CVE-2023-30799, a serious privilege escalation issue that can be exploited for arbitrary code execution, have been affected. Brunsdon noted, "Regardless of how they've been compromised, it seems as though the actor has been placing a script onto the [Mikrotik] devices that enables SOCKS (Secure Sockets), which allow the devices to operate as TCP redirectors." This effectively turns each device into a proxy, obscuring the true source of the malicious traffic and making it more difficult to trace back to its origin.

The lack of necessary authentication to use these proxies raises further concerns, as it allows other malicious actors to use specific devices or the entire botnet for harmful activities, from distributed denial-of-service (DDoS) attacks to phishing campaigns. The malspam campaign has been found to exploit a misconfiguration in the sender policy framework (SPF) TXT records of 20,000 domains, allowing the attackers to send emails on behalf of these domains and bypass various email security measures.

The SPF records are set up with the extremely permissive "+all" option, which essentially nullifies the protection they were intended to provide. This means that any device, like the compromised MikroTik routers, can spoof the legitimate domain in an email. MikroTik device owners are advised to keep their routers updated and change default account credentials to avoid potential exploitation attempts. "With so many compromised MikroTik devices, the botnet is capable of launching a wide range of malicious activities, from DDoS attacks to data theft and phishing campaigns," Brunsdon said. "The use of SOCKS4 proxies further complicates detection and mitigation efforts, highlighting the need for robust security measures."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.