MikroTik Cryptojacking

The MikroTik Cryptojacking is a Trojan that uses various means for hijacking the MikroTik-brand routers' Web traffic and redirecting it towards other destinations, such as a cryptocurrency miner. While this campaign lacks any attacks against the security of the associated PCs currently, in theory, a remote attacker could force any browser using the compromised router to load a compromised site or script of his preference. MikroTik customers should update their routers to the latest version, and contact the company for further advice on removing the MikroTik Cryptojacking and its related symptoms.

A MikroTik Security Breach that's Anything but 'Micro'

Professional researchers in the cyber-security industry are confirming a series of attacks that hijack routers of the MikroTik branding, particularly but not exclusively for Brazilian organizations. Because the threat actors compromise the router relaying Web traffic, instead of individual PCs, they obtain access to hundreds or even thousands of mechanisms using the vulnerable, carrier-class hardware without requiring any security mistakes from the individual users. Victims can best identify this the MikroTik Cryptojacking campaign by some of its symptoms, which include tampering with which websites load after clicking a Web link.

While the MikroTik Cryptojacking's attacks have potential applications for many uses, malware experts only see cases of their use for Coinhive-mining activities, which generate cryptocurrency for the threat actors by using the PC's hardware resources. The MikroTik Cryptojacking accomplishes this function with two, separate methods:

• By replacing the default error page, the MikroTik Cryptojacking's admin ensures that any misclick or wrong domain loading attempt that results in an error will, instead, load the JavaScript-based mining script.
• The MikroTik Cryptojacking also includes an additional component that malware experts have yet to acquire samples of for a full analysis This file may use other URL-loading methods that don't require Web errors, such as clicking on links or navigating to prominent domains, like Google.

Finally, the MikroTik Cryptojacking also has a Scheduled Task-based system for self-updating its capabilities (or removing them, for preventing its detection and analysis), and may include other, backdoor-oriented attack features for future infections.

Ticking the MikroTik Cryptojacking Off the List of Your Web-Browsing Problems

The MikroTik Cryptojacking campaign, which targets network traffic-relaying devices instead of users, doesn't spread via spam e-mails or other, social engineering tactics. For now, its unknown authors are using an out-of-date exploit for compromising routers that haven't acquired the MikroTik's April-dated security patch. Any routers that are fully patched shouldn't be at risk for the old infection methods.

The MikroTik Cryptojacking's payload doesn't require infecting single PCs with any additional threats although the arbitrary loading of third-party-determined links could instigate a drive-by-download attack. Users should stay alert for unusual browser activity that's related to the CoinHive domain. They can protect their PCs from these symptoms, and other, unsafe Web content, by using anti-malware products with URL-blacklisting technology that prevents the mining script from launching. Resetting your MikroTik router to factory settings before patching it also may be necessary.

The MikroTik Cryptojacking is a threatening swerve in the harmful software industry: instead of attacking a single user or even a specific company's network, it intercepts traffic in either direction, as long as it uses the infected router. Network administrators and other employees who have router maintenance responsibilities will need to take care that this trend doesn't catch on, to the detriment of the public at large.