Monday, March 12, 2018
The first part to understand is the means of infection. What makes this initial attack vector unique is that, according to our research, many victims were attacked through compromised routers made by MikroTik. Routers download and run various DLL files in the normal course of business. Attackers found a way to compromise the devices by adding a malicious DLL to an otherwise legitimate package of other DLLs. The bad DLL was a downloader for various malicious files, which were also stored in the router.