Microsoft uncovers Trickbot’s use of MikroTik devices in command-and-control infrastructure

The Microsoft Defender for IoT research team has discovered the method through which MikroTik devices are used in Trickbot’s C2 infrastructure. 

The Trickbot malware has evolved continuously since its discovery in 2016 and has now expanded its reach from computer systems, to Internet of Things (IoT), such as routers being managed for its Command and Control (C2) infrastructure.

By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another persistence layer that helps malicious IPs evade detection by standard security systems.

Through the analysis, Microsoft has developed a forensic tool to identify Trickbot-related compromise and other suspicious indicators on MikroTik devices. The tool can help customers to verify if the IoT devices are susceptible to attacks. 

The article describes how MikroTik devices are compromised and used in attacks.

The Microsoft Blog
Microsoft's open source forensic tool to identify Trickbot