Security researchers at Lumen Black Lotus Labs have uncovered a Linux-based Remote Access Trojan that has been infecting small-office/home-office (SOHO) routers virtually undetected for a period spanning more than two years.
Briefly referenced in May 2021, the trojan which is being referred to as AVrecon has been used to create residential proxy services designed to hide a variety of malicious activity like password spraying, web-traffic proxying, and ad fraud.
With more than 70,000 distinct IP addresses from 20 countries communicating with 15 unique second-stage C2s over a 28-day window, and 41,000 nodes categorized as persistently infected, the scale of this multi-year campaign could be worryingly big.
Routers infected with malware
Analysis of the malware confirms that it is written in C, valued for its portability, and targets ARM-embedded devices.
AVrecon first checks for other instances of itself on the host machine, and kills existing processes. Failure to do so will see it remove itself from the machine, likely in a bid to evade detection.
Ultimately, Lumen reckons that the malware is designed to used the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook, likely in a larger advertising fraud effort.
The summary concludes that password spraying and/or data exfiltration may, therefore, be a secondary activity.
The goal looks to be the laundering of malicious activity by using the victim’s bandwidth to create a residential proxy service, which is unlikely to attract the same levels of attention as commercially available VPN services.
Because there’s little impact for end users, unlike crypto-mining which is heavy on resources, Black Lotus Labs says: “it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw.”
Practicing good Internet hygiene is paramount to prevention, which in this case includes regularly rebooting routers and applying firmware updates.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba