The attack relies on a vulnerability which MikroTik disclosed and patched in April 2018, which it said “allowed a special tool to connect to the [administration] port, and request the system user database file”.
This user database file contains usernames and passwords in plaintext.
In this case, the attackers used the credentials to get into the router and replace the error.html file, which is transmitted when the MikroTik’s built-in web proxy is enabled and there is an HTTP error of some kind.
The error.html file the attackers loaded into routers included a CoinHive cryptocurrency mining script. If you are on a network powered by a hacked MikroTik router and you experience a web browsing error, you will end up mining cryptocurrency.
Sophos said the attack is only effective when browsing HTTP sites, as the MikroTik proxy doesn’t support HTTPS.