AVrecon Linux Malware Infects Over 70,000 SOHO Routers
Since May 2021, the AVrecon Linux malware has infected more than 70,000 SOHO routers and made most of them part of a botnet that specializes in creating hidden residential proxies, according to Lumen Black Lotus Labs.
What Are Residential Proxies?
Residential proxies allow botnet operators to mask a wide range of malicious activities, from digital advertising fraud to password spraying attacks.
AVrecon Botnet Remained Undetected for Two Years
Despite the fact that the AVrecon Remote Access Trojan (RAT) compromised more than 70,000 devices, only 40,000 of them became part of the botnet when the malware got a foothold on the device, according to the researchers. AVrecon managed to avoid detection almost completely for a long time, although it was first noticed back in May 2021 when the malware targeted Netgear routers. Since then, the botnet has remained undetected for two years and has gradually grown, by now becoming one of the largest router-targeted botnets in the world.
“We suspect that the attackers are focusing on SOHO devices, as they are less likely to be patched with various CVEs,” the experts say. “Instead of using the botnet for a quick profit, its operators took a more moderate approach and were able to go unnoticed for two years. Due to the stealthy nature of the malware, owners of infected machines rarely notice performance issues or loss of bandwidth.”
After infection, the malware sends information about the hacked router to the built-in address of the command and control server. After contact is established, the hacked device is instructed to establish communication with another group of servers – the control servers of the second stage. The researchers found 15 such servers that have been operating since at least October 2021, based on x.509 certificate information.
Researchers Disrupt AVrecon Botnet
Experts note that they managed to harm the work of AVrecon by resetting the routing for the botnet control server in their backbone network. This effectively severed the connection between the botnet and its control infrastructure, which significantly limited the malware from performing malicious actions.
The AVrecon Linux malware is a reminder of how important it is to keep your router up to date with the latest security patches. It is also important to use a strong password and to change it regularly. Additionally, it is important to be aware of the signs of a compromised router, such as sudden changes in performance, loss of bandwidth, and unexpected reboots. If you notice any of these signs, it is important to take action immediately.