AVrecon Botnet Malware

From May 2021 onwards, a highly covert Linux malware known as AVrecon has been employed to infiltrate more than 70,000 small office/home office (SOHO) routers operating on Linux-based systems. These compromised routers are then incorporated into a botnet, serving a dual purpose: pilfering bandwidth and establishing a concealed residential proxy service. According to infosec experts, out of the 70 000 devices compromised by AVrecon, around 40 000 were incorporated into a botnet.

By utilizing this botnet, the operators of AVrecon can effectively conceal an array of harmful undertakings. These activities encompass a broad spectrum, ranging from fraudulent digital advertising schemes to password-spraying attacks. The availability of a hidden residential proxy service provides them with a means to anonymize their operations and exploit the compromised network infrastructure to carry out their nefarious activities undetected.

The AVrecon Malware Operates Silently on the Breached Devices

Since its initial detection in May 2021, AVrecon has demonstrated a remarkable ability to evade detection. It initially targeted Netgear routers and managed to remain undetected for over two years, steadily expanding its reach by ensnaring new bots. This relentless growth has propelled it to become one of the largest botnets targeting small office/home office (SOHO) routers in recent times.

The threat actors behind this malware appear to have strategically focused on exploiting SOHO devices that users were less likely to patch against known vulnerabilities and exposures (CVEs). By adopting a more cautious approach, the operators were able to operate stealthily for an extended period, eluding detection for over two years. The surreptitious nature of the malware meant that owners of infected devices rarely experienced noticeable service disruptions or bandwidth loss, further enabling the botnet to persist undetected.

Once a router is infected, the malware proceeds to transmit the compromised device's information to an embedded Command-and-Control (C2) server. Subsequently, the hacked machine receives instructions to establish communication with a separate set of servers known as second-stage C2 servers. During their investigation, security researchers identified a total of 15 second-stage control servers. These servers have been operational since at least October 2021, as determined by x.509 certificate information.

The presence of these second-stage C2 servers highlights the sophisticated infrastructure and organization employed by the threat actors behind the malware. It further underscores the challenges faced by cybersecurity experts in combating and mitigating the impact of this persistent and elusive botnet.

Compromised SOHO Devices could Lead to Serious Consequences

In a binding operational directive (BOD) recently issued by the Cybersecurity and Infrastructure Security Agency (CISA), U.S. federal agencies have been mandated to take immediate action to secure Internet-exposed networking equipment, including SOHO routers. This directive requires federal agencies to fortify these devices within 14 days of discovery to prevent potential breach attempts.

The reason behind this urgency is that a successful compromise of such devices would grant threat actors the ability to incorporate the compromised routers into their attack infrastructure. This, in turn, would serve as a launchpad for lateral movement into the internal networks of targeted entities, as emphasized by CISA in their warning.

The utilization of AVrecon by threat actors serves a dual purpose: proxying traffic and engaging in nefarious activities such as password spraying. This distinct modus operandi sets it apart from our previous discoveries of router-based malware, which primarily focused on direct network targeting.

The gravity of this threat arises from the fact that SOHO routers typically operate outside the conventional security perimeter. Consequently, the ability of defenders to detect unsafe activities is significantly diminished. This situation highlights the critical importance of promptly securing these devices to mitigate the risk of potential breaches and enhance overall network security.