AVrecon Botnet Malware Attacks Thousands of Linux Routers

AVrecon is a Linux-based malware that has been causing significant trouble since May 2021. It has infected over 70,000 small office/home office (SOHO) routers, creating a botnet with the purpose of stealing bandwidth and operating a hidden residential proxy service. The operators of AVrecon have employed various malicious activities, ranging from digital advertising fraud to password spraying, taking advantage of the botnet's capabilities.

The Black Lotus Labs threat research team at Lumen has been closely monitoring AVrecon's activities. They discovered that although the remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were successfully added to the botnet. AVrecon has demonstrated a remarkable ability to remain undetected since its initial identification in May 2021, specifically targeting Netgear routers. It managed to avoid detection for over two years, steadily expanding its influence and becoming one of the most significant botnets focused on SOHO routers in recent times.

What Experts Think About the Dangers of AVrecon Botnet Malware

The experts at Black Lotus Labs suspect that the threat actors behind AVrecon intentionally targeted SOHO devices that users would be less likely to patch against known vulnerabilities and exposures (CVEs). Instead of pursuing immediate financial gain, the operators adopted a patient approach, allowing them to operate covertly for an extended period. Due to the malware's clandestine nature, owners of infected machines rarely notice any disruptions in service or loss of bandwidth.

Once a router becomes infected with AVrecon, the malware transmits the compromised device's information to a command-and-control (C2) server embedded within it. The server instructs the hacked router to establish communication with a separate group of servers known as second-stage C2 servers. Researchers have identified 15 such second-stage control servers, which have been operational since at least October 2021 based on x.509 certificate information.

In response to the AVrecon threat, the Black Lotus security team at Lumen took action by null-routing the botnet's C2 server across their backbone network. This action effectively severed the connection between the malicious botnet and its central control server, significantly impeding its ability to carry out harmful activities. The encryption employed by AVrecon prevented the researchers from providing specific details on the success of password spraying attempts, but null-routing the C2 nodes and blocking traffic through the proxy servers rendered the botnet inert across the Lumen backbone.

The Bleak Outlook of AVrecon Botnet Malware

Recognizing the severity of this threat, the Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive (BOD) instructing U.S. federal agencies to secure Internet-exposed networking equipment, including SOHO routers, within 14 days of discovery to prevent potential breaches. Compromising such devices would provide threat actors with an opportunity to incorporate the hacked routers into their attack infrastructure, serving as a launchpad for lateral movement into internal networks, as warned by CISA.

The danger posed by AVrecon stems from the fact that SOHO routers typically exist outside the conventional security perimeter, making it challenging for defenders to detect malicious activities. This modus operandi mirrors the tactics employed by the Chinese cyberespionage group known as Volt Typhoon. They used similar techniques to create a covert proxy network using compromised SOHO network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel. The covert proxy network was used to conceal malicious activities within legitimate network traffic while targeting critical infrastructure organizations in the United States since at least mid-2021.