New AVrecon botnet remained under the radar for two years while targeting SOHO Routers

A new malware dubbed AVrecon targets small office/home office (SOHO) routers, it infected over 70,000 devices from 20 countries.

Lumen Black Lotus Labs uncovered a long-running hacking campaign targeting SOHO routers with a strain of malware dubbed AVrecon.

The malware was spotted the first time in May 2021, but has been operating under the radar for more than two years.

“Lumen Black Lotus Labs identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.”” reads the analysis published by Lumen.

Threat actors behind the campaign aimed at building a botnet to use for a range of criminal activities from password spraying to digital advertising fraud.

The AVrecon malware was written in C to ensure portability and designed to target ARM-embedded devices. The experts discovered that the malicious code had been compiled for different architectures.

On infected a router, the malware enumerates the victim’s SOHO router and sends that information back to a C2 server whose address is embedded in the code. Then, the infected system starts to begin interacting with a separate set of servers, the so-called second-stage C2 servers. 

Black Lotus Labs states AVrecon is one of the largest botnets targeting small-office/home-office (SOHO) -routers seen in recent history. The researchers identified 41,000 nodes communicating with second-stage C2s within a 28-day window.

“Based on information associated with their x.509 certificates, we assess that some of these second stage C2s have been active since at least October 2021. We took a 28-day snapshot of the second stage servers and found more than 70,000 distinct IP addresses communicating with them.” continues the report. “We then investigated how many machines were persistently infected – meaning they communicated with one of the second stage servers for two or more days within the 28-day window – and we identified 41,000 nodes.”

Upon deploying the AVrecon RAT, the malware checks to see if other instances of the malware are already running on the system, it gathers host-based information, and builds the parameters of the C2 channel.

The malware also checks if other instances of itself already running on the host by searching for existing processes on port 48102 and opening a listener on that port.

Most of the infected routers are in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others.

The threat actors were observed using the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook. The first activity is part of an advertising fraud effort, and the second activity is likely linked to password spraying attacks and/or data exfiltration. 

“The manner of attack seems to focus predominantly on stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services.” concludes the report. “This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AVrecon)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. Court rules against NSO Group in WhatsApp spyware Lawsuit

A U.S. court ruled in favor of WhatsApp against NSO Group, holding the spyware vendor…

60 minutes ago

Lazarus APT targeted employees at an unnamed nuclear-related organization

North Korea-linked Lazarus Group targeted employees of an unnamed nuclear-related organization in January 2024. Kaspersky…

7 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 25

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

Security Affairs newsletter Round 503 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

US charged Dual Russian and Israeli National as LockBit Ransomware developer

US authorities charged a dual Russian and Israeli national for being a developer of the…

1 day ago

BadBox rapidly grows, 190,000 Android devices infected

Experts uncovered a botnet of 190,000 Android devices infected by BadBox bot, primarily Yandex smart…

2 days ago

This website uses cookies.