The Stealthy Operation of AVrecon
Since May 2021, a covert Linux malware named AVrecon has been operating under the radar, infecting more than 70,000 Linux-based small office/home office (SOHO) routers. The malware's primary function is to incorporate these routers into a botnet, which is then used to pilfer bandwidth and facilitate a concealed residential proxy service.
Malware's Malicious Activities
This operation enables the malware's handlers to conceal a broad range of malicious activities, including digital advertising fraud and password spraying. Lumen's Black Lotus Labs threat research team discovered that while the AVrecon remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were added to the botnet after gaining persistence.
Evasion and Growth
The malware was first spotted in May 2021, targeting Netgear routers. It managed to evade detection for over two years, gradually ensnaring new bots and growing into one of the largest SOHO router-targeting botnets discovered in recent years.
The Threat Actor's Focus
Black Lotus Labs suggests that the threat actor focused on SOHO devices that users were less likely to patch against common vulnerabilities and exposures (CVEs). The operators maintained a temperate approach, allowing them to operate undetected for more than two years. Due to the stealthy nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth.
Command and Control Servers
Once a router is infected, the malware sends the compromised router's info to an embedded command-and-control (C2) server. The hacked machine is then instructed to establish communication with a separate group of servers, known as second-stage C2 servers. The security researchers found 15 such second-stage control servers, which have been operational since at least October 2021.
Addressing the Threat
Lumen's Black Lotus security team addressed the AVrecon threat by null-routing the botnet's command-and-control (C2) server across their backbone network. This action effectively severed the connection between the malicious botnet and its central control server, significantly impeding its capacity to execute harmful activities.
The Severity of the Threat
The severity of this threat stems from the fact that SOHO routers typically reside beyond the confines of the conventional security perimeter, greatly diminishing defenders' ability to detect malicious activities.
Similar Tactics by Other Groups
The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked SOHO network equipment to hide their malicious activity within legitimate network traffic. This covert proxy network was used by the Chinese state hackers to target critical infrastructure organizations across the United States since at least mid-2021.
A Warning for Defenders
Michelle Lee, threat intelligence director of Lumen Black Lotus Labs, warns that defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking.
