A stealthy Linux malware called AVrecon has been infecting over 70,000 small office/home office (SOHO) routers, creating a botnet primarily aimed at stealing bandwidth and operating as a hidden residential proxy service.

This malicious activity enables various criminal actions, including digital advertising fraud and password spraying. Despite its large scale, AVrecon has managed to evade detection since May 2021, making it one of the most significant botnets targeting SOHO routers to date.

AVRecon is a Pesky Malware Strain

(Photo: Michael Geiger from Unsplash)
Lumen Black Lotus Labs has exposed how AVrecon infects devices connected to SOHO routers.

AVrecon, identified as a remote access trojan (RAT), successfully compromised over 70,000 Linux-based SOHO routers. However, the malware managed to bypass security detection for more than two years. At that time, it managed to infect only 40,000 devices into the botnet.

According to The Hacker News, the threat actors behind AVrecon likely focused on exploiting vulnerabilities in SOHO devices that users were less likely to patch against common vulnerabilities and exposures (CVEs). This approach allowed the botnet to operate stealthily without causing noticeable disruptions or bandwidth loss for infected device owners.

Command-and-Control Structure

When a device starts to acquire malware, the next thing that AVrecon does is target the information from the compromised router by transmitting the data as C2 (command-and-control) server.

The malware then instructs the compromised device to establish communication with a separate group of servers known as second-stage C2 servers. Researchers have identified 15 such second-stage control servers that have been active since at least October 2021.

Related Article: Sophos: Rise in Fleeceware Seen on Google Play, Apple App Store-Mobile Malware Hitting on AI?

Black Lotus Creates Countermeasures

In response to the AVrecon threat, Lumen's Black Lotus security team null-routed the botnet's C2 server across their network backbone, effectively severing the connection between the botnet and its central control server.

This action significantly hindered the botnet's ability to carry out harmful activities. The compromised SOHO routers present a significant threat because they typically exist outside the conventional security perimeter, making it challenging for defenders to detect malicious activities.

Avoiding the SOHO Router-Targeting Botnet

Government agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), have emphasized the importance of securing internet-exposed networking equipment, including SOHO routers.

The compromise of such devices enables threat actors to incorporate them into their attack infrastructure and use them as a launching point for further infiltration into internal networks, per Bleeping Computer.

"Defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking," Michelle Lee, threat intelligence director of Lumen Black Lotus Labs said.

The use of covert proxy networks built from compromised SOHO routers has been observed in other cyberespionage campaigns, such as the activities of the Chinese Volt Typhoon group targeting critical infrastructure organizations in the United States.

Read Also: Top 5 Best Malware Analysis Tools in 2023