More than 200,000 MikroTik routers are infected by CryptoMining malware [360totalsecurity]

Recently, 360 Security Center discovered a malicious hijacking campaign against MikroTik routers, mainly using the zero-day vulnerability in the MikroTik router in April. It infected the routers using code that loads the browser-based crytpomining software by Coinhive. Hence, when users try to access the Internet through the MikroTik proxy, they will encounter HTTP error since Coinhive’s Javascript has been injected into web pages that users access via compromised routers. Their devices then start mining for Monero cryptocurrency for the attackers.

Attack Method
The hacker utilizes the zero-day vulnerability that MikroTik patched on 23rd April this year. Although MirkioTik fixed the vulnerability in one day, there were thousands of MikroTik routers that failed to be patched in time, giving hackers a good opportunity to launch an attack.

The vulnerability allows hackers to read files via Winbox, and gain authenticated remote administrator access to the MikroTik router. According to the initial investigation, hackers pushed custom error pages containing Coinhive mining scripts through the MikroTik router, instead of running malicious files on the router.

Analysis
The following analysis was conducted by Simon Kenin, the Security Researcher Trustwave SpiderLabs:

Firstly, all the pages on the Shodan search engine are Web Proxy error pages. It can be seen that the hacker created a custom error page containing the Coinhive script.

For more, click here.

Share