security researcher Lumens Black Lotus Labs have discovered a Linux-based remote access Trojan that has been infecting small office/home office (SOHO) routers virtually undetected for more than two years.
Briefly mentioned in May 2021, the trojan dubbed AVrecon was used to create private proxy services designed to hide a variety of malicious activities such as password spraying, web traffic proxying, and ad fraud.
With more than 70,000 different IP addresses from 20 countries communicating with 15 unique second-tier C2s over a 28-day period, and 41,000 nodes classified as persistently infected, the scale of this multi-year campaign could be worryingly large.
Routers infected with malware
Analysis of malware confirms that it is written in C and appreciated for its portability and goals POOR-embedded devices.
AVrecon first looks for other instances of itself on the host machine and kills existing processes. Otherwise, it will walk away from the machine, probably to avoid detection.
Ultimately, Lumen believes the malware is designed to use the infected machines to click various Facebook and Google ads and interact with Microsoft Outlook, likely as part of a larger ad fraud attempt.
The abstract concludes that password spraying and/or data exfiltration could therefore be a secondary activity.
The goal appears to be to launder malicious activity by using the victim’s bandwidth to create a private proxy service that is unlikely to draw the same level of attention as commercially available VPN services.
Because the end-user impact is minimal compared to resource-intensive crypto mining, Black Lotus Labs says, “It’s unlikely that there will be as many abuse complaints as internet-wide brute-forcing and DDoS-based botnets typically do.”
Good internet hygiene is paramount for prevention. In this case, this includes regularly rebooting routers and applying firmware updates.
