FlagThis

CyberSecurity updates
2025-01-17 20:50:15 Pacfic
Pierluigi Paganini @ Cyber Crime Archives
MikroTik Botnet Exploits DNS Misconfigurations. - 1d
Read more: securityaffairs.com

A sophisticated botnet has been discovered exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to distribute malware through spam campaigns. The botnet leverages a simple DNS misconfiguration, specifically in Sender Policy Framework (SPF) records, allowing malicious emails to appear as if they are coming from legitimate domains. This bypasses email protection techniques, enabling the distribution of trojan malware and other malicious content. The botnet is masking its traffic by using the compromised routers as SOCKS proxies.

The misconfigured SPF records, using "+all" instead of "-all", effectively permits any server to send emails on behalf of the domain, nullifying SPF protections. Attackers are using this weakness to spoof sender domains and send out emails that often mimic shipping companies like DHL, using subject lines referencing invoices or tracking information. These emails contain zip file attachments containing obfuscated JavaScript files that execute PowerShell scripts, connecting victims to a command-and-control server associated with Russian cybercriminal activity.

Original img attribution: https://securityaffairs.com/wp-content/uploads/2025/01/image-24.png
ImgSrc: securityaffairs.com
References:
  • @screaminggoat - A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques. This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to a - 1d
  • Security Archives - Security Affairs - MikroTik botnet relies on DNS misconfiguration to spread malware - 1d
  • securityonline.info - 13,000 MikroTik Routers Hijacked for Global Malspam Operation - 1d
  • cyberpress.org - New Botnet Exploits DNS Flaw to Deliver Malware - 1d
  • blogs.infoblox.com - Infoblox : A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques. - 1d
  • Cyber Security News - New Botnet Exploits DNS Flaw to Deliver Malware - 22h
  • securityboulevard.com - MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware - 4h
  • Security Boulevard - MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware - 1h

Classification:
  • HashTags: Botnet DNS Malware
  • Company: MikroTik
  • Target: MikroTik users
  • Product: MikroTik routers
  • Feature: DNS misconfiguration
  • Type: Malware
  • Severity: Major

This site is an experimental news aggregator using feeds I personally follow. You can provide me feedback using this form or using Bluesky.