A new malware strain has been discovered surreptitiously targeting small/home office (SOHO) routers for over two years, infiltrating over 70,000 devices and creating a botnet of 40,000 nodes spanning 20 countries.
Lumen Black Lotus Labs dubbed the malware AVreconmaking it the third pressure to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.
“This makes AVrecon one of the largest SOHO router targeting botnets ever,” the company stated said. “The aim of this campaign appears to be to create a covert network that silently enables a variety of criminal activities ranging from password leaks to digital ad fraud.”
Most of the infections were in the UK and US, followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia and South Africa, among others.
AVrecon is first highlighted by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating that the malware has managed to evade detection until recently.
In the attack chain detailed by Lumen, a successful infection is followed by computing the victim’s SOHO router and extracting that information back to an embedded command-and-control (C2) server.
It also checks if other malware is already running on the host by looking for processes that are on port 48102 and opening a listener on that port. The process bound to that port is terminated.
The next stage involves the compromised system establishing contact with a separate server, called the secondary C2 server, to await further commands. Lumen says it has identified 15 unique servers that have been active since at least October 2021.
It should be noted that a tiered C2 infrastructure is prevalent among such well-known botnets Emotion and QakBot.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
AVrecon is written in the C programming language, making it easy to port malware for different architectures. What’s more, an important reason why such attacks are successful is because they take advantage of edge-living infrastructure that typically lacks support for security solutions.
The evidence gathered so far points to the botnet being used to click various Facebook and Google ads, and to interact with Microsoft Outlook. This likely indicates a two-pronged attempt to perpetrate ad fraud and data exfiltration.
“The mode of attack appears to focus primarily on stealing bandwidth – without affecting the end user – to create residential proxy services to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services,” the researchers said.