Researchers have discovered malware that attacks both Windows systems and MikroTik routers. The malware is called Trend Micro Glupteba by the antivirus company and spreads through social engineering. The creators of the malware make use of malicious advertisements on download sites.
These advertisements offer a download that is actually the malware. As soon as the user opens the downloaded file, all kinds of data from Chrome, Opera and the Yandex browser are stolen, such as cookies, browsing history, usernames and passwords. In addition, the malware tries to attack MikroTik routers in the local network from the infected system.
The malware uses a vulnerability in Winbox that was patched by MikroTik last April. The vulnerability can be used to access the user database and thus obtain the administrator password. The password is then sent to the attackers. Subsequently, various services such as Telnet and Winbox are switched off on the router. This is probably done to prevent other attackers from taking over the router via the same vulnerability, according to the researchers. Finally, the router is set up as a proxy to forward malicious traffic, such as spam.
“When setting up routers, security must be given the highest priority,” says Trend Micro researcher Jaromir Horejsi. “Most devices in homes and offices are connected to these devices and can be affected if a router is compromised.