{
	"id": "c370b129-9019-4bc3-b8aa-a3dbd86cf15e",
	"created_at": "2026-04-06T00:10:04.49673Z",
	"updated_at": "2026-04-10T03:21:16.60956Z",
	"deleted_at": null,
	"sha1_hash": "94d27eb8d94dfc6740d7a0cfe1246d9e1a12fe3f",
	"title": "Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 122066,
	"plain_text": "Uncovering Trickbot’s use of IoT devices in command-and-control\r\ninfrastructure | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2022-03-16 · Archived: 2026-04-05 18:56:51 UTC\r\nTrickbot, a sophisticated trojan that has evolved significantly since its discovery in 2016, has continually\r\nexpanded its capabilities and, even with disruption efforts and news of its infrastructure going offline, it has\r\nmanaged to remain one of the most persistent threats in recent years. The malware’s modular nature has allowed it\r\nto be increasingly adaptable to different networks, environments, and devices. In addition, it has grown to include\r\nnumerous plug-ins, access-as-a-service backdoors for other malware like Ryuk ransomware, and mining\r\ncapabilities. A significant part of its evolution also includes making its attacks and infrastructure more durable\r\nagainst detection, including continuously improving its persistence capabilities, evading researchers and reverse\r\nengineering, and finding new ways to maintain the stability of its command-and-control (C2) framework.\r\nThis continuous evolution has seen Trickbot expand its reach from computers to Internet of Things (IoT) devices\r\nsuch as routers, with the malware updating its C2 infrastructure to utilize MikroTik devices and modules.\r\nMikroTik routers are widely used around the world across different industries. By using MikroTik routers as\r\nproxy servers for its C2 servers and redirecting the traffic through non-standard ports, Trickbot adds another\r\npersistence layer that helps malicious IPs evade detection by standard security systems.\r\nThe Microsoft Defender for IoT research team has recently discovered the exact method through which MikroTik\r\ndevices are used in Trickbot’s C2 infrastructure. In this blog, we will share our analysis of the said method and\r\nprovide insights on how attackers gain access to MikroTik devices and use compromised IoT devices in Trickbot\r\nattacks.\r\nThis analysis has enabled us to develop a forensic tool to identify Trickbot-related compromise and other\r\nsuspicious indicators on MikroTik devices. We published this tool to help customers ensure these IoT devices are\r\nnot susceptible to these attacks. We’re also sharing recommended steps for detection and remediating compromise\r\nif found, as well as general prevention steps to protect against future attacks.\r\nhttps://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/\r\nPage 1 of 5\n\nFigure 1. Trickbot attack diagram\r\nHow attackers compromise MikroTik devices for Trickbot C2\r\nThe purpose of Trickbot for using MikroTik devices is to create a line of communication between the Trickbot-affected device and the C2 server that standard defense systems in the network are not able to detect. The attackers\r\nbegin by hacking into a MikroTik router. They do this by acquiring credentials using several methods, which we\r\nwill discuss in detail in the following section.\r\nThe attackers then issue a unique command that redirects traffic between two ports in the router, establishing the\r\nline of communication between Trickbot-affected devices and the C2. MikroTik devices have unique hardware\r\nand software, RouterBOARD and RouterOS. This means that to run such a command, the attackers need expertise\r\nin RouterOS SSH shell commands. We uncovered this attacker method by tracking traffic containing these SSH\r\nshell commands.\r\nFigure 2. Direct line of communication between the Trickbot infected device and the Trickbot C2\r\nAccessing the MikroTik device and maintaining access\r\nAttackers first need to access the MikroTik shell to run the routing commands. To do so, they need to acquire\r\ncredentials. As mentioned earlier, based on our analysis, there are several methods that attackers use to access a\r\ntarget router:\r\nhttps://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/\r\nPage 2 of 5\n\nUsing default MikroTik passwords.\r\nLaunching brute force attacks. We have seen attackers use some unique passwords that probably were\r\nharvested from other MikroTik devices.\r\nExploiting CVE-2018-14847 on devices with RouterOS versions older than 6.42. This vulnerability\r\ngives the attacker the ability to read arbitrary files like user.dat, which contains passwords.\r\nTo maintain access, the attackers then change the affected router’s password.\r\nRedirecting traffic\r\nMikroTik devices have a unique Linux-based OS called RouterOS with a unique SSH shell that can be accessed\r\nthrough SSH protocol using a restricted set of commands. These commands can be easily identified by the prefix\r\n“/”. For example:\r\n/ip\r\n/system\r\n/tool\r\nThese commands usually won’t have any meaning on regular Linux-based shells and are solely intended for\r\nMikroTik devices. We observed through Microsoft threat data the use of these types of commands. Understanding\r\nthat these are MikroTik-specific commands, we were able to track their source and intent. For example, we\r\nobserved attackers issuing the following commands:\r\n/ip firewall nat add chain=dstnat proto=tcp dst-port=449 to-port=80 action=dst-nat to-addresses=\u003cin\r\nFrom the command, we can understand the following:\r\nA new rule, similar to iptables, is created\r\nThe rule redirects traffic from the device to a server\r\nThe redirected traffic is received from port 449 and redirected to port 80\r\nThe said command is a legitimate network address translation (NAT) command that allows the NAT router to\r\nperform IP address rewriting. In this case, it is being used for malicious activity. Trickbot is known for using ports\r\n443 and 449, and we were able to verify that some target servers were identified as TrickBot C2 servers in the\r\npast.\r\nThis analysis highlights the importance of keeping IoT devices secure in today’s ever evolving threat environment.\r\nUsing Microsoft threat data, Microsoft’s IoT and operational technology (OT) security experts established the\r\nexact methods that attackers use to leverage compromised IoT devices and gained knowledge that can help us\r\nbetter protect customers from threats.\r\nDefending IoT devices against Trickbot attacks\r\nhttps://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/\r\nPage 3 of 5\n\nAs security solutions for conventional computing devices continue to evolve and improve, attackers will explore\r\nalternative ways to compromise target networks. Attack attempts against routers and other IoT devices are not\r\nnew, and being unmanaged, they can easily be the weakest links in the network. Therefore, organizations should\r\nalso consider these devices when implementing security policies and best practices.\r\nAn open-source tool for MikroTik forensics\r\nWhile investigating MikroTik and attacks in the wild, we observed several methods of attacking these devices in\r\naddition to the method we described in this blog. We aggregated our knowledge of these methods and known\r\nCVEs into an open-source tool that can extract the forensic artifacts related to these attacks.\r\nSome of this tool’s functionalities include the following:\r\nGet the version of the device and map it to CVEs\r\nCheck for scheduled tasks\r\nLook for traffic redirection rules (NAT and other rules)\r\nLook for DNS cache poisoning\r\nLook for default ports change\r\nLook for non-default users\r\nWe have published the tool in GitHub and are sharing this tool with the broader community to encourage better\r\nintelligence-sharing in the field of IoT security and to help build better protections against threat actors abusing\r\nIoT devices.\r\nHow to detect, remediate, and prevent infections\r\nOrganizations with potentially at-risk MikroTik devices can perform the following detection and remediation\r\nsteps:\r\nRun the following command to detect if the NAT rule was applied to the device (completed by the tool as\r\nwell):\r\nIf the following data exists, it might indicate infection:\r\nchain=dstnat action=dst-nat to-addresses=\u003cpublic IP address\u003e\r\nto-ports=80 protocol=tcp dst-address=\u003cyour MikroTik IP\u003e dst-port=449\r\nchain=srcnat action=masquerade src-address=\u003cyour MikroTik IP\u003e\r\nRun the following command to remove the potentially malicious NAT rule:\r\n/ip firewall nat remove numbers=\u003crule number=\"\" to=\"\" remove=\"\"\u003e\r\n\u003c/rule\u003e\r\nTo prevent future infections, perform the following steps:\r\nChange the default password to a strong one\r\nBlock port 8291 from external access\r\nhttps://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/\r\nPage 4 of 5\n\nChange SSH port to something other than default (22)\r\nMake sure routers are up to date with the latest firmware and patches\r\nUse a secure virtual private network (VPN) service for remote access and restrict remote access to the\r\nrouter\r\nProtect IoT devices and IT networks with Microsoft Defender\r\nTo harden IoT devices and IT networks against threats like Trickbot, organizations must implement solutions that\r\ndetect malicious attempts to access devices and raises alerts on anomalous network behavior. Microsoft Defender\r\nfor IoT provides agentless, network-layer security that lets organizations deploy continuous asset discovery,\r\nvulnerability management, and threat detection for IoT, OT devices, and Industrial Control Systems (ICS) on-premises or in Azure-connected environments. It is updated regularly with indicators of compromise (IoCs) from\r\nthreat research like the one described on this blog, and rules to detect malicious activity.\r\nMeanwhile, Microsoft 365 Defender protects against attacks related to highly modular, multi-stage malware like\r\nTrickbot by coordinating threat data across identities, endpoints, cloud apps, email, and documents. Such cross-domain visibility allows Microsoft 365 Defender to comprehensively detect and remediate Trickbot’s end-to-end\r\nattack chain—from malicious attachments and links it sends via emails to its follow-on activities in endpoints. Its\r\nrich set of tools like advanced hunting also lets defenders surface threats and gain insights for hardening networks\r\nfrom compromise.\r\nIn addition, working with the Microsoft Defender for IoT Research Team, RiskIQ identified compromised\r\nMikroTik routers acting as communication channels for Trickbot C2 and created detection logic to flag devices\r\nunder threat actor control. See RiskIQ’s article.\r\nTo learn more about securing your IoT and OT devices, explore Microsoft Defender for IoT.\r\nDavid Atch, Section 52 at Microsoft Defender for IoT\r\nNoa Frumovich, Section 52 at Microsoft Defender for IoT\r\nRoss Bevington, Microsoft Threat Intelligence Center (MSTIC)\r\nSource: https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/\r\nhttps://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/"
	],
	"report_names": [
		"uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434204,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94d27eb8d94dfc6740d7a0cfe1246d9e1a12fe3f.pdf",
		"text": "https://archive.orkl.eu/94d27eb8d94dfc6740d7a0cfe1246d9e1a12fe3f.txt",
		"img": "https://archive.orkl.eu/94d27eb8d94dfc6740d7a0cfe1246d9e1a12fe3f.jpg"
	}
}