HQ/EMEAFind out how we can help your business
In a newly uncovered malicious campaign, the MikroTik botnet has appeared on thousands of devices. Reports revealed that these botnets bypassed email security and spread malware by spoofing at least 20,000 domains.
The threat actor takes advantage of a misconfigured set of DNS records for the sender policy framework (SPF). This incorrect set lists all servers permitted to send emails on behalf of a domain.
The MikroTik botnet campaign started in November last year.
According to investigations, the MikroTik botnet operators started the malspam campaign in November 2024. Some emails impersonated the shipping company DHL Express and included bogus freight bills with a ZIP archive containing a hostile payload.
In addition, the ZIP attachment includes a JavaScript file that assembled and ran a PowerShell script. The software then connects to the attacker-controlled C2 server on a domain previously attributed to Russian hackers.
The spam emails’ headers revealed various domains and SMTP server IP addresses, and the researchers claimed they uncovered a sprawling network of around 13,000 hijacked MikroTik devices, all part of a sizable botnet.
The researchers also explained that the SPF DNS records for over 20,000 domains were set to the highly permissive “+all” option, enabling any server to send emails on their behalf. This setting effectively contradicts the point of maintaining an SPF record, as it allows for spoofing and illegitimate email sending.
On the other hand, the “-all” option limits email delivery to the domain’s servers and is a safer alternative. The infiltration tactics used by the threat actors remain a mystery, but the researchers suspect various versions were impacted, including recent MikroTik firmware releases.
Due to their power, MikroTik routers are attractive devices for threat actors. Hence, malicious hackers target them to build botnets capable of extremely powerful attacks.
MikroTik device owners are urged to install their model’s most recent firmware update, change the default admin account credentials, and disable remote access to control panels if not required.
