Lumen Black Lotus Labs identified AVrecon malware, which infects small office/home office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT).
Lumen Black Lotus Labs identified AVrecon malware, which infects small office/home office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT).
It infiltrates over 70,000 devices and creates a botnet with 40,000 nodes spanning 20 countries. The malware has been operating undetected for more than two years. It was first spotted in May 2021.
Most infections are in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa. Due to the hidden nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth. AVrecon is written in the C programming language, making it easy to port the malware for different architectures.
In the latest investigation, Black Lotus Labs discovered that it is one of the largest botnets targeting SOHO routers. AVrecon has been used to create residential proxy services designed to hide various malicious activities like password spraying, web-traffic proxying, and ad fraud.
Once Infected, enumerate the victim's SOHO router and exfiltrate that information to an embedded command-and-control (C2) server. After that, the compromised system is instructed to connect with a separate server, called the secondary C2 server, to await further commands. Security researchers said fifteen such unique servers have been active since at least October 2021.
It also checks if other instances of malware are already running on the host by searching for existing processes on port 48102 and opening a listener on that port. A process bound to that port is terminated.
It's important to note that tiered C2 infrastructure is prevalent among notorious botnets like Emotet and QakBot. Ultimately, malware is designed to use the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook, likely in a larger advertising fraud effort or data exfiltration.
The attack's goal seems to be laundering malicious activity by stealing the victim's bandwidth - without impacting end users - to create a residential proxy service to attract the same level of attention as commercially available VPN services.
Reason for successful AVrecon campaign:
- The target machines do not offer standard endpoint detection and response (EDR) solutions.
- Attackers may focus on type SOHO devices, where users would be less likely to patch against common vulnerabilities and exposures (CVEs).
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?