{
	"id": "e014ea8a-9b28-4ff6-a06f-36b375d6755a",
	"created_at": "2026-04-06T00:17:05.712388Z",
	"updated_at": "2026-04-10T03:26:42.764434Z",
	"deleted_at": null,
	"sha1_hash": "67bffdff3fd9d391d0d675fddd98644cfafedbd2",
	"title": "The TrickBot and MikroTik Connection – A Story of Investment and Collaboration",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38415,
	"plain_text": "The TrickBot and MikroTik Connection – A Story of Investment\r\nand Collaboration\r\nBy Wicus Ross\r\nPublished: 2018-12-12 · Archived: 2026-04-05 15:25:34 UTC\r\nIn my professional capacity I perform several tasks. One involves tracking and collecting indicators of\r\ncompromise (IoC) used to identify malware campaigns. Another involves tracking incidents reported in\r\nmainstream media, establishing trends, and distilling the information into actionable items for clients and\r\ncolleagues. The fun part of my job involves writing tools or playing with those authored by others. \r\nThis is a story where all these aspects neatly intersect. It’s also a story which highlights the need for security\r\ncompanies to invest in their staff, and to encourage creativity to build a safer online environment for businesses\r\nand consumers.\r\nTracking TrickBot\r\nSecurity companies across the globe track malware campaigns, including one named TrickBot. TrickBot monitors\r\nthe web surfing activity of its victim, and activate when certain websites, such as internet banking, are accessed. It\r\nthen attempts to capture account details of its victim when he or she browses to a login URL that is being\r\nmonitored. \r\nIf we look at industry trends, this one is definitely a contender on the top ten offender list. Among the others are\r\nthose which target unsecured IoT devices, subverting them into what is called a botnet – the likes of Mirai, Satori,\r\nVPNFilter, and Slingshot. The latter two have been linked to APT or nation state actors, Mirai and VPNFilter have\r\nbeen associated with distributed denial of service attacks, while Slingshot was reportedly used to pivot into\r\ninternal networks. So, a pretty bad bunch! \r\nWe’ve noticed, in our own tracking of botnets, the increasing involvement of MikroTik devices, and also noted\r\nvulnerable MikroTik routers, through publicly disclosed vulnerabilities that were attributed to others. This,\r\ncoupled with poor vulnerability management, has meant an increase in the number of compromised MikroTik\r\nhosts. \r\nWhere internal investment plays its part\r\nOn to the fun part. Our team takes a creative approach to cybersecurity and they’re constantly expanding their\r\ncapabilities, building tools not only because they have to, but out of curiosity.\r\nEnter my esteemed colleague, Willem. A few weeks ago, Willem saw that Pastebin was running a lifetime Pro\r\nsubscription promotion. Willem signed up, and a couple of hours later had created Pastebot, a Pastebin scraper that\r\nhooked into cloud-based collaboration platform, Slack. It was not long before Pastebot started spamming our SD\r\nLabs’ Slack workspace with all kinds of nasties found on Pastebin. \r\nhttps://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/\r\nPage 1 of 2\n\nFast forward to one Monday morning just before lunch. I received a Slack message from Willem with a link to a\r\nPastebin post that hosted XML config for a TrickBot campaign. This was picked up by Pastebot because Willem\r\nwas looking for Pastebin posts that contain names of certain well-established financial institutions. This returned a\r\nTrickBot XML file containing 38 IP addresses and port pairs across the world.\r\nNext, a quick spot check using Shodan, which provided us with a sense of what we were dealing with: several\r\nwere associated with MikroTik routers. We verified this and the result was surprising. Of the 38 IPs, Shodan\r\nreturned info on 37 hosts, 19 of which were identified as MikroTik routers. This suggests that either the routers or\r\nthe hosts behind them had been compromised – or both. \r\nOne of the MikroTik routers reported the latest version of firmware which had been fully patched against known\r\nexploits. All the 19 MikroTik routers had their bandwidth test services exposed to the internet, and 18 had default\r\nSSH ports exposed to the internet. \r\nTools and tactics\r\nWe passed MikroTik router IPs through IOCParlor (a tool created by our team that helps automate IOC collection\r\nand verification) to get a sense of how naughty these hosts really are. IOCParlor queried VirusTotal and returned a\r\nlist of 14 IPs flagged as malicious.\r\nTo verify the results, we picked one IP and manually reviewed it using the VirusTotal web client, which produced\r\nan MS Word document.\r\nOf the 61 malware engines that scanned the document, 35 reported it as malicious. Several of the malware engines\r\nclassified the document as a trojan downloader, meaning that when Word opens the file it will download malware. \r\nThe community tab associated with the VirusTotal report had several comments, including one from by dvk01 of\r\nMy Online Security, a phishing and malware campaign reporting site that the SD Labs team regularly uses. dvk01\r\nlabelled the malware as TrickBot and links to an article that describes how the same contagion was used for a\r\nmalicious Bank of America email. \r\nIn September 2018, there were reports in the industry that highlighted the increasing number of MikroTik routers\r\nthat are ensnared in malicious activity. What was interesting was that TrickBot is using C2 hosts that have\r\nMikroTik routers involved. \r\nHad the SD Labs not been tinkering with cybersecurity tools, this discovery may not have been made. Leveraging\r\nseemingly unrelated events and tying them together with other analysis demonstrates the need to not only examine\r\nobscure incidents across the industry, but also the kind of tactics needed to protect organizations against threats\r\nthat could never have been imagined.\r\nContinued investment in research and tooling is needed across industry, coupled with a creative approach and\r\nsome outside-the-box thinking.\r\nSource: https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/\r\nhttps://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/"
	],
	"report_names": [
		"trickbot-mikrotik-connection"
	],
	"threat_actors": [
		{
			"id": "72aaa00d-4dcb-4f50-934c-326c84ca46e3",
			"created_at": "2023-01-06T13:46:38.995743Z",
			"updated_at": "2026-04-10T02:00:03.175285Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "MISPGALAXY:Slingshot",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f55c7778-a41c-4fc6-a2e7-fa970c5295f2",
			"created_at": "2022-10-25T16:07:24.198891Z",
			"updated_at": "2026-04-10T02:00:04.897342Z",
			"deleted_at": null,
			"main_name": "Slingshot",
			"aliases": [],
			"source_name": "ETDA:Slingshot",
			"tools": [
				"Cahnadr",
				"GollumApp",
				"NDriver"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434625,
	"ts_updated_at": 1775791602,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67bffdff3fd9d391d0d675fddd98644cfafedbd2.pdf",
		"text": "https://archive.orkl.eu/67bffdff3fd9d391d0d675fddd98644cfafedbd2.txt",
		"img": "https://archive.orkl.eu/67bffdff3fd9d391d0d675fddd98644cfafedbd2.jpg"
	}
}