Thousands of Linux routers infected by AVrecon malware to build botnet

Malware is rather good at evading detection, too

Security researchers at Lumen Black Lotus Labs have uncovered a Linux-based Remote Access Trojan that has been infecting small-office/home-office (SOHO) routers virtually undetected for a period spanning more than two years.

Briefly referenced in May 2021, the trojan which is being referred to as AVrecon has been used to create residential proxy services designed to hide a variety of malicious activity like password spraying, web-traffic proxying, and ad fraud.

With more than 70,000 distinct IP addresses from 20 countries communicating with 15 unique second-stage C2s over a 28-day window, and 41,000 nodes categorized as persistently infected, the scale of this multi-year campaign could be worryingly big.

Analysis of the malware confirms that it is written in C, valued for its portability, and targets ARM-embedded devices.

> These are the best firewalls around> Cisco routers are being targeted by custom Russian malware> If you have an Asus router, you need to patch it now or risk being hacked

AVrecon first checks for other instances of itself on the host machine, and kills existing processes. Failure to do so will see it remove itself from the machine, likely in a bid to evade detection.

Ultimately, Lumen reckons that the malware is designed to used the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook, likely in a larger advertising fraud effort.

The summary concludes that password spraying and/or data exfiltration may, therefore, be a secondary activity.

The goal looks to be the laundering of malicious activity by using the victim’s bandwidth to create a residential proxy service, which is unlikely to attract the same levels of attention as commercially available VPN services.

Because there’s little impact for end users, unlike crypto-mining which is heavy on resources, Black Lotus Labs says: “it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw.”

Practicing good Internet hygiene is paramount to prevention, which in this case includes regularly rebooting routers and applying firmware updates.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

Microsoft is still blocking some of its biggest customers from running Windows apps

Squarespace Courses wants to help you share your expertise with the world

Samsung's ViewFinity S9 may be the monitor creatives have been searching for

By Darren AllanAugust 28, 2023

By Craig HaleAugust 28, 2023

By Keumars Afifi-SabetAugust 28, 2023

By Sead FadilpašićAugust 28, 2023

By Darren AllanAugust 28, 2023

By Craig HaleAugust 28, 2023

By David NieldAugust 28, 2023

By David NieldAugust 28, 2023

By Sead FadilpašićAugust 28, 2023

By James RogersonAugust 28, 2023

By Keumars Afifi-SabetAugust 28, 2023