A newly discovered botnet, consisting of 13,000 compromised MikroTik devices, is taking advantage of misconfigured domain name server (DNS) records to bypass email security measures and deliver malware. The threat actor behind the botnet exploits a vulnerability in the sender policy framework (SPF) used to validate email senders. The attacker misconfigures the SPF record for around 20,000 web domains, using an overly permissive “+all” option that allows any server to send emails on behalf of those domains, thus enabling email spoofing and the delivery of malicious content.
The botnet was discovered by DNS security company Infoblox, which tracked the activity of the malspam campaign active in late November 2024. Some of the fraudulent emails impersonated well-known companies like DHL Express, tricking recipients into opening attachments that appeared to be freight invoices. These attachments contained a ZIP file which, once opened, executed a JavaScript file that ran a PowerShell script, which in turn connected to a command-and-control server controlled by the attacker. The domain associated with the C2 server had previously been linked to Russian cybercriminal groups.
Infoblox researchers revealed that the botnet’s operation was much larger than initially thought
Infoblox researchers revealed that the botnet’s operation was much larger than initially thought, with approximately 13,000 hijacked MikroTik devices forming part of a significant, sprawling network. These devices were used to send phishing emails, exfiltrate data, and mask the origin of malicious network traffic. By configuring the MikroTik routers as SOCKS4 proxies, the attacker was able to amplify the scale of the botnet’s operations, allowing it to launch distributed denial-of-service (DDoS) attacks, deliver phishing emails, and distribute malware more effectively. This method of botnet expansion enables the attackers to leverage a large number of compromised devices, significantly increasing the impact of their operations.
Despite warnings to MikroTik device owners to update their firmware and patch vulnerabilities, many devices remain exposed due to slow patching practices. The botnet demonstrates the potential danger posed by unsecured, outdated networking devices. Infoblox has advised MikroTik users to apply the latest firmware updates, change default admin credentials, and restrict remote access to control panels unless absolutely necessary. The misuse of MikroTik devices highlights the importance of maintaining robust security practices and timely software updates to protect against botnet-driven cyberattacks.
