Pierluigi Paganini
July 14, 2023
Lumen Black Lotus Labs uncovered a long-running hacking campaign targeting SOHO routers with a strain of malware dubbed AVrecon.
The malware was spotted the first time in May 2021, but has been operating under the radar for more than two years.
“Lumen Black Lotus Labs identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.”” reads the analysis published by Lumen.
Threat actors behind the campaign aimed at building a botnet to use for a range of criminal activities from password spraying to digital advertising fraud.
The AVrecon malware was written in C to ensure portability and designed to target ARM-embedded devices. The experts discovered that the malicious code had been compiled for different architectures.
On infected a router, the malware enumerates the victim’s SOHO router and sends that information back to a C2 server whose address is embedded in the code. Then, the infected system starts to begin interacting with a separate set of servers, the so-called second-stage C2 servers.
Black Lotus Labs states AVrecon is one of the largest botnets targeting small-office/home-office (SOHO) -routers seen in recent history. The researchers identified 41,000 nodes communicating with second-stage C2s within a 28-day window.
“Based on information associated with their x.509 certificates, we assess that some of these second stage C2s have been active since at least October 2021. We took a 28-day snapshot of the second stage servers and found more than 70,000 distinct IP addresses communicating with them.” continues the report. “We then investigated how many machines were persistently infected – meaning they communicated with one of the second stage servers for two or more days within the 28-day window – and we identified 41,000 nodes.”
Upon deploying the AVrecon RAT, the malware checks to see if other instances of the malware are already running on the system, it gathers host-based information, and builds the parameters of the C2 channel.
The malware also checks if other instances of itself already running on the host by searching for existing processes on port 48102 and opening a listener on that port.
Most of the infected routers are in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others.
The threat actors were observed using the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook. The first activity is part of an advertising fraud effort, and the second activity is likely linked to password spraying attacks and/or data exfiltration.
“The manner of attack seems to focus predominantly on stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services.” concludes the report. “This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AVrecon)
