Russian Botnet Exploits DNS Misconfiguration for Malware Delivery

Summary

Recently, Infoblox Threat Intelligence uncovered a botnet leveraging spam campaigns to deliver malware using spoofed sender domains. Unlike typical email spoofing techniques, this campaign exploits misconfigured DNS records to bypass email security mechanisms. This specific botnet employs a worldwide network of compromised MikroTik routers to distribute malicious emails that impersonate legitimate domains. While the primary payload observed in the spam was trojan malware, the botnet likely facilitates various malicious activities beyond malware distribution.

Technical Detail

The investigation began with the detection of a malspam campaign in late November. These emails, posing as freight invoice communications, contained zip files with a malicious payload. The naming convention of the zip files followed a pattern, such as:

● Invoice (2–3-digit number).zip

● Tracking (2–3-digit number).zip

The emails suggested that the threat actor was impersonating a shipping company. After analyzing tens of thousands of spam-tagged emails, Infoblox uncovered that the attached zip files contained obfuscated JavaScript files. These scripts executed PowerShell commands that established outbound connections to a command-and-control (C2) server at 62.133.60[.]137, an IP address linked to Global Connectivity Solutions (AS215540) with a history of suspicious activity and associations with Russian operations.

Further examination of the email headers revealed a complex network of domains and SMTP server IPs. This led to the discovery of a massive botnet comprising approximately 13,000 compromised MikroTik devices. These routers, functioning as part of the botnet, have been weaponized to facilitate various malicious activities on a significant scale. MikroTik routers are known to have been affected by critical vulnerabilities. Although identifying the exact firmware version of these devices was challenging, the impact extended across multiple versions, including some recent releases. One notable remote code execution vulnerability that has been exploited is detailed here:

● https://vulncheck.com/blog/mikrotik-foisted-revisited

A remote buffer overflow exploit requiring authenticated access has been leveraged to compromise MikroTik routers, many of which previously had a default admin account with no password. Attackers have deployed scripts to activate SOCKS proxies on these routers, obscuring the origin of malicious activities and complicating attribution. The botnet, composed of 13,000 compromised routers, acts as a network of TCP redirectors, enabling large-scale operations such as DDoS attacks, phishing campaigns, and data theft. The absence of authentication for these proxies opens them up to exploitation by other threat actors, further increasing the botnet's scale and impact. This extensive network provides both operational anonymity and an avenue for expanding malicious activities while evading traditional security measures.

Misconfigured SPF records

Threat actors exploited misconfigured SPF records in approximately 20,000 domains to bypass email protections like DKIM, SPF, and DMARC. SPF records are DNS TXT entries that validate authorized mail servers for a domain, but misconfigurations allow any server to send emails on behalf of affected domains. Proper SPF records use “-all” to deny unauthorized servers, whereas a misconfigured “+all” permits any server, enabling spoofing. This vulnerability could result from accidental errors or malicious alterations to domain registrar accounts. Ensuring correct SPF configurations is crucial to prevent unauthorized email use and safeguard domain integrity.

To check if a domain has an SPF record and how it is configured, you can examine its DNS TXT records. On Linux or macOS, you can use the dig command combined with grep:

● dig +short txt example.com | grep spf

For Windows, the nslookup command can be paired with PowerShell to achieve the same result:

● nslookup -type=txt example.com | Select-String -Pattern "spf"

In both cases, an example result might be:

● "v=spf1 -all"

This output indicates that the domain example.com does not authorize any servers to send mail on its behalf.

The script verifies the operation's success by checking the website's content for any references to https://wp3[.]xyz. This ensures the malicious plugin has been successfully installed and is operational.

Recommendation

1. Ensure that all MikroTik routers and similar devices are updated to the latest firmware versions to patch known vulnerabilities. Disable default admin accounts and set strong passwords to avoid unauthorized access.

2. Implement multi-factor authentication (MFA) on devices and services where possible to add an extra layer of security, especially for administrative access.

3. Regularly audit and correctly configure DNS records, including SPF, DKIM, and DMARC, to prevent unauthorized email sending. Ensure that SPF records are restrictive (e.g., using "-all" instead of "+all") to prevent domain spoofing.

4. Use network monitoring tools to detect and block suspicious traffic, such as traffic passing through unusual SOCKS proxies or devices with compromised configurations.

5. Implement robust email security systems, such as advanced spam filters and threat intelligence, to detect and block malicious emails or phishing attempts.

Conclusion

A malspam campaign involving over 13,000 compromised MikroTik devices and 20,000 spoofed sender domains has been identified. These devices were compromised to act as open SOCKS4 proxies, enabling the botnet to launch various malicious activities, including DDoS attacks, data theft, and phishing campaigns. The use of SOCKS4 proxies complicates detection and mitigation efforts. The attack leveraged misconfigurations in DNS SPF records, bypassing traditional email protections. This emphasizes the need for secure DNS configurations and regular security audits. Proper device accessibility management is essential to prevent such vulnerabilities.