Update:
If you want to check if you are infected then you can use the Loki scanner:
GitHub page Neo23x0: https://github.com/Neo23x0/
Download Loki: https://github.com/Neo23x0/Loki/releases
Information from Mikrotik: https://forum.mikrotik.com/viewtopic.php?f=2&t=131748&p=647104#p647661
Before doing that please read the complete thread!
I just read an article on a Dutch site how Mikrotik routers are compromised to spy on users. This goes with the help of Winbox lower than 3.12 and a modified DDL file loaded from the router with the name ipv4.dll, when Winbox starts.
Source:
https://www.security.nl/posting/553185/Spionageaanval+via+gehackte+MikroTik-routers+ontdekt
Kapersky PDF report with details:
https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
Update:
After reading more in the report Mikrotik states up to RouterOS version 6.38.4 was vulnerable for injecting unwanted software into a PC.
Translation from Dutch to English:
Anti-virus company Kaspersky Lab has detected a spy attack through hacked MikroTik routers that has made victims mainly in Africa and the Middle East. According to the virus fighter, it is an attack that is comparable in complexity to two previously discovered espionage attacks known as Regin and Sauron .
Slingshot, as the group behind the attack is called, uses compromised MikroTik routers to infect victims. MikroTik offers customers a program called WinBox to manage routers. This program, which is on the router, downloads a number of dll files from the router’s file system and loads them directly into the computer’s memory.
To infect administrators of MikroTik routers, the attackers have placed a malicious version of the dll file named ipv4.dll on the compromised routers. After being added, this dll file is downloaded and executed by WinBox. According to the researchers, this DLL is a Trojan downloader that installs additional malware on the system. How the attackers managed to hack the MikroTik routers and provide the malicious dll file is unknown.
What the researchers do know is that the dll file downloads various modules, including a kernel module and a user-mode module. These modules are designed to collect and steal data and keep the system compromised. To run code in kernel mode, Slingshot loads signed vulnerable drivers. Through the vulnerabilities in these drivers, the malware executes its own code. Because the code with kernel rights is executed, it has full control over the system and can hide itself for anti-virus software.
Cyber espionage
The goal of Slingshot is cyber espionage. The research shows that the malware collects screenshots, keyboard data, network data, passwords, USB connections, desktop activity, the contents of the clipboard and other data and sends them back to the attackers. What is remarkable about the malware is that it disables the software for defragmenting the hard drive. Slingshot uses its own encrypted file system that can be in an unused part of the hard drive. When defragmenting the hard disk, data can be written to this part, which can damage the virtual file system.
According to Kaspersky Lab, Slingshot has been active since 2012 and is still operational. The anti-virus company has seen about 100 victims in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Most victims are individuals rather than organizations, but various government organizations and institutions are also affected by the malware. Most victims were observed in Kenya and Yemen. MikroTik told Kaspersky Lab in a comment that the latest version of WinBox no longer downloads the ipv4.dll file to the computer, with which this attack vector is closed. In this report ( pdf ), Kaspersky Lab provides information and hashes of files and domains that the malware uses.