New malware strain stealthily targets small office/home office (SOHO) routers for over two years, infects over 70,000 devices, and builds a botnet of 40,000 nodes across 20 countries turned out to be
Lumen Black Lotus Labs named this malware AV ReconThis makes it the third stock to focus on SOHO routers in the past year, after ZuoRAT and HiatusRAT.
“This makes AVrecon one of the largest botnets targeting SOHO routers seen to date,” the company said. “The campaign appears to be aimed at creating a covert network that covertly enables a range of criminal activities, from password spraying to digital advertising fraud.”
The majority of cases are in the UK and US, followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia and South Africa.
AVrecon is first highlighted Kaspersky Senior Security Researcher Yeh (Seth) Jin announced in May 2021 that the malware has so far been able to evade detection.
In the attack chain detailed by Lumen, after a successful infection, the victim’s SOHO router is enumerated and that information is exfiltrated to a built-in command and control (C2) server.
It also checks if another instance of the malware is already running on the host by looking for an existing process on port 48102 and opening a listener on that port. Any process bound to that port will be terminated.
In the next stage, the compromised system establishes a connection with another server, called a secondary C2 server, and waits for further commands. Lumen said he has identified 15 such unique servers that have been in operation since at least October 2021.
It is worth noting that hierarchical C2 infrastructures are prevalent among notorious botnets such as Emotet and QakBot.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
AVrecon is written in the C programming language, making it easy to port the malware to different architectures. Moreover, the critical reason why such attacks work is that they take advantage of infrastructure that resides at the edge, which security solutions typically lack support for.
Evidence collected so far indicates that this botnet is being used to click on various Facebook and Google ads and to interact with Microsoft Outlook. This could indicate a two-pronged effort to commit ad fraud and data exfiltration.
“Attack modus operandi is to launder malicious activity and encourage end-users to create residential proxy services to avoid receiving the same level of attention from Tor hidden services and commercial VPN services. It appears to be primarily focused on stealing bandwidth without affecting
