CyberSecurity news

FlagThis - #MikroTik

Pierluigi Paganini@securityaffairs.com //

MikroTik Botnet Exploits DNS Misconfigurations.

A sophisticated botnet has been discovered exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to distribute malware through spam campaigns. The botnet leverages a simple DNS misconfiguration, specifically in Sender Policy Framework (SPF) records, allowing malicious emails to appear as if they are coming from legitimate domains. This bypasses email protection techniques, enabling the distribution of trojan malware and other malicious content. The botnet is masking its traffic by using the compromised routers as SOCKS proxies.

The misconfigured SPF records, using "+all" instead of "-all", effectively permits any server to send emails on behalf of the domain, nullifying SPF protections. Attackers are using this weakness to spoof sender domains and send out emails that often mimic shipping companies like DHL, using subject lines referencing invoices or tracking information. These emails contain zip file attachments containing obfuscated JavaScript files that execute PowerShell scripts, connecting victims to a command-and-control server associated with Russian cybercriminal activity.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • : A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques. This botnet uses a global network of Mikrotik routers to send malicious emails that are designed to appear to come from legitimate domains.
  • securityaffairs.com: MikroTik botnet relies on DNS misconfiguration to spread malware
  • securityonline.info: 13,000 MikroTik Routers Hijacked for Global Malspam Operation
  • cyberpress.org: New Botnet Exploits DNS Flaw to Deliver Malware
  • blogs.infoblox.com: Infoblox : A Russian botnet takes advantage of misconfigured DNS records to pass email protection techniques.
  • Cyber Security News: New Botnet Exploits DNS Flaw to Deliver Malware
  • securityboulevard.com: MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware
  • Security Boulevard: MikroTik Botnet Exploits SPF Misconfigurations to Spread Malware
  • www.bleepingcomputer.com: BleepingComputer news on MikroTik botnet uses misconfigured SPF DNS records to spread malware
Classification:
  • HashTags: #Botnet #DNS #Malware
  • Company: MikroTik
  • Target: MikroTik users
  • Product: MikroTik routers
  • Feature: DNS misconfiguration
  • Type: Malware
  • Severity: Major

Posts

Blogs

Research Tools