Thousands of Linux routers infected by AVrecon malware to build botnet

News
By Craig Hale
published

Malware is rather good at evading detection, too

malware
(Image credit: Elchinator from Pixabay)

Security researchers at Lumen Black Lotus Labs have uncovered a Linux-based Remote Access Trojan that has been infecting small-office/home-office (SOHO) routers virtually undetected for a period spanning more than two years.

Briefly referenced in May 2021, the trojan which is being referred to as AVrecon has been used to create residential proxy services designed to hide a variety of malicious activity like password spraying, web-traffic proxying, and ad fraud.

With more than 70,000 distinct IP addresses from 20 countries communicating with 15 unique second-stage C2s over a 28-day window, and 41,000 nodes categorized as persistently infected, the scale of this multi-year campaign could be worryingly big.

Routers infected with malware

Analysis of the malware confirms that it is written in C, valued for its portability, and targets ARM-embedded devices.

Read more

> These are the best firewalls around

> Cisco routers are being targeted by custom Russian malware

> If you have an Asus router, you need to patch it now or risk being hacked

AVrecon first checks for other instances of itself on the host machine, and kills existing processes. Failure to do so will see it remove itself from the machine, likely in a bid to evade detection.

Ultimately, Lumen reckons that the malware is designed to used the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook, likely in a larger advertising fraud effort.

The summary concludes that password spraying and/or data exfiltration may, therefore, be a secondary activity.

The goal looks to be the laundering of malicious activity by using the victim’s bandwidth to create a residential proxy service, which is unlikely to attract the same levels of attention as commercially available VPN services.

Because there’s little impact for end users, unlike crypto-mining which is heavy on resources, Black Lotus Labs says: “it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw.”

Practicing good Internet hygiene is paramount to prevention, which in this case includes regularly rebooting routers and applying firmware updates. 

Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!