A botnet consisting of 13,000 MikroTik devices has been discovered. It exploits problems in DNS record settings to bypass protection and deliver malware by spoofing approximately 20,000 domains.
According to Infoblox specialists, the attackers use incorrect DNS SPF (Sender Policy Framework) settings, a mechanism that determines servers that have the right to send emails on behalf of a domain.
The first malicious mailings were noticed back in late November 2024. Some malicious emails were disguised as messages from the DHL Express shipping company, containing fake invoices and ZIP archives that hid malware.
For example, the archive contained JavaScript that assembled and launched a PowerShell script. This script connected to the attackers' command and control server.
“After analyzing the spam email headers, we found many domains and IP addresses of SMTP servers. That's when it became clear that we had uncovered a huge network of 13,000 infected MikroTik devices that were part of a large botnet," Infoblox explains.
Experts found that SPF DNS records for about 20,000 domains were configured with the +all option, which allowed any server to send emails on their behalf.
"This effectively renders the SPF record useless, since such a setting opens the way to spoofing and mass mailing of unauthorized emails," the experts write, noting that it is safer to use the -all option, which allows sending only from specific servers.
The exact method of infecting the devices is still unclear, but experts emphasized that the botnet includes devices with different firmware versions, including the latest ones.
The botnet uses infected devices as SOCKS4 proxies to conduct DDoS attacks, send phishing emails, extract data, and also to mask malicious traffic.
“Although the botnet includes only 13 thousand devices, using them as SOCKS proxies allows tens and even hundreds of thousands of compromised machines to use them to access the network, which significantly increases the potential scale of this botnet’s operations,” Infoblox warns.
According to Infoblox specialists, the attackers use incorrect DNS SPF (Sender Policy Framework) settings, a mechanism that determines servers that have the right to send emails on behalf of a domain.
The first malicious mailings were noticed back in late November 2024. Some malicious emails were disguised as messages from the DHL Express shipping company, containing fake invoices and ZIP archives that hid malware.
For example, the archive contained JavaScript that assembled and launched a PowerShell script. This script connected to the attackers' command and control server.
“After analyzing the spam email headers, we found many domains and IP addresses of SMTP servers. That's when it became clear that we had uncovered a huge network of 13,000 infected MikroTik devices that were part of a large botnet," Infoblox explains.
Experts found that SPF DNS records for about 20,000 domains were configured with the +all option, which allowed any server to send emails on their behalf.
"This effectively renders the SPF record useless, since such a setting opens the way to spoofing and mass mailing of unauthorized emails," the experts write, noting that it is safer to use the -all option, which allows sending only from specific servers.
The exact method of infecting the devices is still unclear, but experts emphasized that the botnet includes devices with different firmware versions, including the latest ones.
The botnet uses infected devices as SOCKS4 proxies to conduct DDoS attacks, send phishing emails, extract data, and also to mask malicious traffic.
“Although the botnet includes only 13 thousand devices, using them as SOCKS proxies allows tens and even hundreds of thousands of compromised machines to use them to access the network, which significantly increases the potential scale of this botnet’s operations,” Infoblox warns.
