A Botnet's Search for MikroTik Routers
Last updated: 2021-09-20
Last Updated: 2021-02-04
Last month, I wrote a post about setting up honeypots on GCP where I stood up a low-interaction SSH honeypot. Since then, I’ve been able to log a few megabytes worth of unauthorized behavior. This post will report on a repeated security event targeting misconfigured MikroTik routers.
The attacker logs into the honeypot using
admin/password and then sends the commands seen below into the honeypot terminal. Several IP addresses have been logged exhibiting the same command entry patterns suggesting botnet activity. These source IPs are shared at the end of the post.
/ip cloud print ifconfig uname -a cat /proc/cpuinfo ps | grep '[Mm]iner' ps -ef | grep '[Mm]iner' ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/* echo Hi | cat -n
In order to try to attribute a malware campaign to this behavior, we must analyze the movements by the attacking entity. This section discusses observations relating the commands used to potential motives in an attempt to learn more about the event behavior.
/ip cloud print
/ip cloud print prints the parameters set for RouterOS, the OS used by MikroTik devices. You can read about this command in the MikroTik wiki. Other tools using this command have not yet been identified, in accoradance with this, the command may be specific to MikroTik devices. MikroTik is a popluar networking vendor in Latvia. We will touch on MikroTik later on in this post.
The attackers search for
proc/cpuinfo, in that order.
ifconfig prints networking information. When called with no flags information about connected network interfaces are printed to the console, including your IP address and what kind of network interaces are available/active. Some network interfaces can give clues about the envronment a device is running in. For example, running
ifconfig in a GCP Ubuntu 18.04 VM returns the
lo loopback interface and
ens4. Machines with Docker installed with show
uname print basic system information.
uname -a will print all system information. On a GCP Ubuntu 18.04 VM
uname -a returns:
$ uname -a Linux monitor 4.15.0-1091-gcp #104~16.04.1-Ubuntu SMP Tue Dec 15 19:05:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
cat /proc/cpuinfo prints CPU information to the screen. Here is an example of output on a GCP Ubuntu 18.04 VM:
These commands are used to gather information about the device.
ps -ef | grep '[Mm]iner'
ps command will print running process and along with some information about them. The
-ef flags will print every process using the standard sytax where
-e selects all processes and
-f triggers full-format listing. It is interesting that both
ps -ef are used in the event. An example of the differences between the two commands is shown on a GCP Ubuntu 18.04 VM below:
Piping the active process output to
grep [Mm]iner will return all processes with the word
Miner in them. This behavior may indicate the attacker is searching for active cryptominers running on the misconfigured system. Normally, running this command on say a GCP Ubunt 18.04 VM would return nothing, example below:
ls -la /dev/ttyGSM* /dev/ttyUSB-mod* ...
The botnet uses
ls -la to search for specific set of system files. I’ve associated the requested files with potential related router services and listed the results the table below.
Yes, SMS like text messages. SMS stands for short message service used by mobile device and internet-connected devices. MikroTik supports sending SMS messages via GSM modem. Users report configuring their MikroTik to use text messages for router management including receiving health alert text messages from the router and/or being able to reset the admin/user password via SMS. See the MikroTik Wiki for more information.
GSM stands for Global System for Mobile Communications. GSM is the standard protocol for mobile communications. On a Mikrotik Router
/dev/ttyGSM* may return the virtual serial ports in use by the RouterOS modem (kernel.org, 2011). Users in StackExchange discuss gaining a direct serial connection to a RB4011 MikroTik router using
sudo screen /dev/ttyUSB0 115200 cs8 ixoff implying that
ls -la /dev/ttyUSB* can be used to identify a live serial connection to an active router.
/usr/bin/qmuxd points to the QMUX daemon.
gmuxd is a linux user-space process to multiplex between programs interfacing with QMI (Qualcomm MSM Interface) and one or more shared-memory based QMUX ports offered by the broadband processor (Osmocom,2019). This Github issue from 2017 suggests it is related to critical modem-related messaging services. This other issue cites
qmuxd as being the daemon responsible for talking to the modem via shared memory on Android.
Limited information on
/etc/config/simman was discovered on common search engines. For instance, DuckDuckGo will only return 2 unique results. The only conclusive results returned with this string were live honeypot dashboards and websites written in Russian. I’ve translated the relevant results below.
Как изменить APN? : Техническая поддержка nano /etc/config/simman. Меняем параметры option GPRS_apn. config sim0 option priority ‘1’ option GPRS_apn ‘tele91.msk’ config sim1 option priority ‘0’ option GPRS_apn ‘tele91.msk’ Сохраняем файл с настройками: Ctrl+X потом подтверждаем сохранение под тем же именем
How to change APN?: Technical Support nano / etc / config / simman. Change the parameters of option GPRS_apn. config sim0 option priority ‘1’ option GPRS_apn ‘tele91.msk’ config sim1 option priority ‘0’ option GPRS_apn ‘tele91.msk’ Save the settings file: Ctrl + X then confirm saving under the same name
Настройки Менеджера SIM карт : Техническая поддержка Для настройки Менеджера SIM с помощью консоли, необходимо открыть файл /etc/config/simman: nano /etc/config/simman. В открывшемся окне Вы можете произвести конфигурацию: config simman ‘core’
SIM Card Manager Settings: Technical Support To configure the SIM Manager using the console, open the file /etc/config/simman: nano /etc/config/simman. In the window that opens, you can configure: config simman ‘core’
This was an additional result returned from Google:
Роутеры TELEOFIS RTU968, RTU1068 V2. Руководство …
Routers TELEOFIS RTU968, RTU1068 V2. Manual …
The translated results suggest the botnet is checking for the existence of a configuration file related to SIM card management.
On a new GCP Ubuntu 18.04 VM the same
la -la command returns no file matches:
echo Hi | cat -n
To help explain this behavior, I’ve displayed the expected output of
echo Hi | cat -n.
$echo Hi | cat -n 1 Hi
Why would a robot want to print “Hi” to console? Let’s take a step back and look at the series of commands executed. The commands first search for information about the machine with
uname. It looks for running processes with ‘miner’ in their process name. It checks for specific files, all checks that will fail on the honeypot. After executing these commands, the unauthorized entity prints a greeting to standard out in an unusual manner.
One explaination is that after determining the machine is a honeypot the botnet leaves a mark to record it has identified the machine as a honeypot. The mark could be a flag to prevent the botnet from dropping their malware on research honeypots.
Related Security Researcher Reports
Similar behavior has been previously reported by security researcher @remco_verhoef. On June 13th 2018 Verhoef writes,
“We’ve found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband)… they are executing all of the following ssh commands:"(SANS, 2018)
/ip cloud print help ifconfig uname -a show ip cat /proc/cpuinfo uptime ls -la ls /data/data/com.android.providers.telephony/databases echo Hi | cat -n ps | grep '[Mm]iner' ps -ef | grep '[Mm]iner'
In his post, Verhoef notes that since
RouterOS v6.27 the
/ip cloud print command has deprecated indicating that the targetted devices are those running software older than
v6.27. Verhoef adds that because, “not all of the above commands are programmed to return the output expected by the script, it could be just probing for specifics about the attacked server,” (SANS, 2018).
MikroTik & Coinhive Campaign Reports
MikroTik is a router vender used Eastern Europe, based in Latvia. On May 23rd 2018, Cisco Talos reported that some MikroTik devices are vulnerable to VPNFilter malware, they warn routers were being compromised by Coinhive cryptocurrency malware. Talos identifies MikroTik RouterOS versions 1016, 1036, and 1072 for cloud core routers as vulnerable.
Two days later on May 25th, 2018 the FBI issued a public service announcement summarizing,
“Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.”
The security event analyzed in this post has been executed numerous times by several IP addresses on the HoneyTrap server hosted in GCP. The botnet appears quite active, crawling the internet for RouterOS devices with a weak username and password configuration. The motive of these events has not been confirmed, however, as suggested by the FBI there are numerous malicious operations that could be conducted on a compromised router.
Logged IP Addresses
Remember, botnets may operate from compromised endpoints. This means the IPs listed below may not necessarily be the endpoint of the “real” attacking entity, but could instead potentially be zombified victim endpoints or VPN endpoints.
The event described in this post has been captured multiple times by the following addresses:
188.8.131.52 184.108.40.206 220.127.116.11
The event described in this post is associated with the following hosts once:
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124