Since at least May 2021, stealth Linux malware called AVrecon has been used to infect over 70,000 Linux-based Small Office/Home Office (SOHO) routers to a botnet designed to steal bandwidth and provide service. hidden residential proxy.

This allows its operators to conceal a wide range of malicious activity, from digital ad fraud to password spraying.

According to Lumen’s Black Lotus Labs threat research team, while the AVrecon remote access trojan (RAT) compromised more than 70,000 devices, only 40,000 were added to the botnet after gaining traction. persistence.

The malware has largely managed to evade detection since being First of all spotted in May 2021 as it targeted Netgear routers. Since then, it has gone undetected for over two years, slowly catching new bots and becoming one of the largest botnets targeting SOHO routers discovered in recent years.

“We suspect the threat actor focused on the type of SOHO devices that users would be less likely to patch against common vulnerabilities and exposures (CVEs),” Black Lotus Labs said.

“Instead of using this botnet for a quick payout, operators have maintained a more restrained approach and have been able to operate undetected for over two years. Due to the surreptitious nature of the malware, owners of infected machines rarely notice interruption or loss of bandwidth service.”

Once infected, the malware sends information from the compromised router to an embedded command and control (C2) server. Once contact is established, the hacked machine is invited to establish communication with a group of independent servers, called second-level C2 servers.

Security researchers found 15 of these second-stage control servers, which have been operational since at least October 2021, based on x.509 certificate information.

Lumen’s Black Lotus security team also addressed the AVrecon threat by routing the botnet’s command and control (C2) server on its backbone network.

This effectively severed the connection between the malicious botnet and its central control server, significantly hampering its ability to perform harmful activities.

“The use of encryption prevents us from commenting on the results of successful password spraying attempts; however, we routed command and control (C2) nodes and obstructed traffic through proxy servers, which made the inert botnet on the Lumen backbone,” Black Lotus Labs said.

In a Binding Operational Directive (BOD) recently issued last month, CISA directed U.S. federal agencies to secure network equipment exposed to the Internet (including SOHO routers) within 14 days of discovery to block potential attempted breaches.

A successful compromise of these devices would allow threat actors to add the hacked routers to their attack infrastructure and provide them with a launch pad for lateral movement in their internal networks, as CISA has warned.

The severity of this threat stems from the fact that these devices typically reside beyond the boundaries of the conventional security perimeter, which significantly reduces the ability of defenders to detect malicious activity.

“Threat actors use AVrecon to proxy traffic and to engage in malicious activities like password spraying. router”, said Michelle Lee, Director of Threat Intelligence at Lumen Black Lotus Labs.

“Defenders should be aware that such malicious activity may originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such than geofencing and DSC-based blocking.”