A new botnet has been identified that delivers malware through spam campaigns using spoofed sender domains.
The malapam campaign exploits misconfigured DNS records, allowing the threat actor to bypass traditional email security protections.
Researchers detected over 13,000 compromised MikroTik devices and 20,000 domains used to deliver spoofed emails.
Due to the large number of hijacked MikroTik devices, the botnet can launch various types of criminal actions, such as phishing campaigns, data theft, and DDoS attacks.
DNS Misconfiguration Fuels Large Botnet Operation
According to Infoblox, a malspam campaign was discovered at the end of November. The email contained a zip file with a malicious payload and was about freight invoices.
The emails claim that the actor was impersonating the transportation business DHL.
The included zip file contains an obfuscated JavaScript file that generates and executes a PowerShell script that establishes an outbound connection to the malware command and control (C2) server at 62.133.60[.].137.
The IP address hosted has a suspicious usage history that is connected to earlier Russian activity.
A wide range of domains and SMTP server IP addresses were discovered in the headers of numerous spam emails, and researchers discovered a massive network of about 13,000 compromised MikroTik devices, all of which were part of a sizable botnet.
Collectively, they form a significant cannon, poised and prepared to unleash a torrent of malicious actions.
Several significant flaws in MikroTik routers have been found, and while the firmware version of a router is not always accessible, researchers observed that several versions, including the most recent firmware update, were affected.
Researchers say that the actor has been placing a script on the devices that activate SOCKS (Secure Sockets), which permits the devices to function as TCP redirectors.
“Enabling SOCKS effectively turns each device into a proxy, masking the true origin of malicious traffic and making it harder to trace back to the source”, reads the report.
Another significant concern is that since these proxies don’t require authentication, other actors can take advantage of individual devices or the entire botnet.
When a user sends an email, the receiving mail server examines the SPF record to ensure that the message originated from an authorized server.
The email is more likely to be rejected or flagged as spam if it doesn’t pass this check. The SPF data is shown as a TXT record in the domain’s DNS records.
Researchers said even though the domain owners set up SPF, their setup allowed emails to be sent from any address to their domains.
This DNS misconfiguration might have occurred by accident or as a malicious modification by a threat actor who had access to the domain’s registrar account.
As a result, any device can impersonate a legitimate domain in emails.
This botnet serves as a clear reminder of how constantly changing cybersecurity dangers are.
Because there are so many hacked MikroTik devices, the botnet can carry out a variety of criminal operations, such as phishing campaigns, DDoS attacks, and data theft.
Strong security measures are necessary since the use of SOCKS4 proxies makes detection and mitigation efforts even more difficult.
Also Read: