The Stealthy Operation of AVrecon
Since May 2021, a covert Linux malware named AVrecon has been operating under the radar, infecting more than 70,000 Linux-based small office/home office (SOHO) routers. The malware's primary function is to incorporate these routers into a botnet, which is then used to pilfer bandwidth and facilitate a concealed residential proxy service.
Malware's Malicious Activities
This operation enables the malware's handlers to conceal a broad range of malicious activities, including digital advertising fraud and password spraying. Lumen's Black Lotus Labs threat research team discovered that while the AVrecon remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were added to the botnet after gaining persistence.
Evasion and Growth
The malware was first spotted in May 2021, targeting Netgear routers. It managed to evade detection for over two years, gradually ensnaring new bots and growing into one of the largest SOHO router-targeting botnets discovered in recent years.
The Threat Actor's Focus
Black Lotus Labs suggests that the threat actor focused on SOHO devices that users were less likely to patch against common vulnerabilities and exposures (CVEs). The operators maintained a temperate approach, allowing them to operate undetected for more than two years. Due to the stealthy nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth.
Command and Control Servers
Once a router is infected, the malware sends the compromised router's info to an embedded command-and-control (C2) server. The hacked machine is then instructed to establish communication with a separate group of servers, known as second-stage C2 servers. The security researchers found 15 such second-stage control servers, which have been operational since at least October 2021.
Addressing the Threat
Lumen's Black Lotus security team addressed the AVrecon threat by null-routing the botnet's command-and-control (C2) server across their backbone network. This action effectively severed the connection between the malicious botnet and its central control server, significantly impeding its capacity to execute harmful activities.
The Severity of the Threat
The severity of this threat stems from the fact that SOHO routers typically reside beyond the confines of the conventional security perimeter, greatly diminishing defenders' ability to detect malicious activities.
Similar Tactics by Other Groups
The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked SOHO network equipment to hide their malicious activity within legitimate network traffic. This covert proxy network was used by the Chinese state hackers to target critical infrastructure organizations across the United States since at least mid-2021.
A Warning for Defenders
Michelle Lee, threat intelligence director of Lumen Black Lotus Labs, warns that defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking.
The Stealthy Operation of AVrecon
Since May 2021, a covert Linux malware named AVrecon has been operating under the radar, infecting more than 70,000 Linux-based small office/home office (SOHO) routers. The malware's primary function is to incorporate these routers into a botnet, which is then used to pilfer bandwidth and facilitate a concealed residential proxy service.
Malware's Malicious Activities
This operation enables the malware's handlers to conceal a broad range of malicious activities, including digital advertising fraud and password spraying. Lumen's Black Lotus Labs threat research team discovered that while the AVrecon remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were added to the botnet after gaining persistence.
Evasion and Growth
The malware was first spotted in May 2021, targeting Netgear routers. It managed to evade detection for over two years, gradually ensnaring new bots and growing into one of the largest SOHO router-targeting botnets discovered in recent years.
The Threat Actor's Focus
Black Lotus Labs suggests that the threat actor focused on SOHO devices that users were less likely to patch against common vulnerabilities and exposures (CVEs). The operators maintained a temperate approach, allowing them to operate undetected for more than two years. Due to the stealthy nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth.
Command and Control Servers
Once a router is infected, the malware sends the compromised router's info to an embedded command-and-control (C2) server. The hacked machine is then instructed to establish communication with a separate group of servers, known as second-stage C2 servers. The security researchers found 15 such second-stage control servers, which have been operational since at least October 2021.
Addressing the Threat
Lumen's Black Lotus security team addressed the AVrecon threat by null-routing the botnet's command-and-control (C2) server across their backbone network. This action effectively severed the connection between the malicious botnet and its central control server, significantly impeding its capacity to execute harmful activities.
The Severity of the Threat
The severity of this threat stems from the fact that SOHO routers typically reside beyond the confines of the conventional security perimeter, greatly diminishing defenders' ability to detect malicious activities.
Similar Tactics by Other Groups
The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked SOHO network equipment to hide their malicious activity within legitimate network traffic. This covert proxy network was used by the Chinese state hackers to target critical infrastructure organizations across the United States since at least mid-2021.
A Warning for Defenders
Michelle Lee, threat intelligence director of Lumen Black Lotus Labs, warns that defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking.
Read Next
Exploring the Depths of 5Ghoul: A Dive into Cybersecurity Vulnerabilities
The dawn of 5G technology has ushered in a new era of connectivity, promising unprecedented speeds and reliability. However, with great power comes great responsibility, and in the case of 5G, a heightened need for robust cybersecurity. Recently, a significant disclosure named "5Ghoul" has emerged, revealing a series of implementation-level
Understanding CVE-2023-45866: A Critical Bluetooth Security Flaw
Dear Readers, As we navigate the intricate web of the digital world, it's imperative to stay alert and informed about potential cyber threats. Today, we delve into a topic that resonates with everyone in our tech-savvy community – cybersecurity. In this special feature, we uncover the details of CVE-2023-45866, a critical
Understanding the Sierra:21 Vulnerabilities in Sierra Wireless Routers
A recent discovery has highlighted a significant concern within the Sierra Wireless AirLink cellular routers. Dubbed "Sierra:21" this collection of security flaws presents a substantial risk to critical sectors. Unpacking Sierra:21 Sierra:21 is a series of 21 security vulnerabilities found in Sierra Wireless AirLink routers and associated
Understanding and Addressing the CVE-2023-23397 Vulnerability
In the evolving landscape of cybersecurity, the CVE-2023-23397 vulnerability has emerged as a critical concern for organizations globally. This blog post aims to dissect the intricacies of this vulnerability, its exploitation by threat actors, and provide guidance on mitigation strategies. Unraveling CVE-2023-23397 The Threat Actor: Forest Blizzard CVE-2023-23397 gained significant