Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Thousands of Linux routers infected by AVrecon malware to build botnet

malware

Security researchers at Lumen Black Lotus Labs have uncovered a Linux-based Remote Access Trojan that has been infecting small-office/home-office (SOHO) routers virtually undetected for a period spanning more than two years.

Briefly referenced in May 2021, the trojan which is being referred to as AVrecon has been used to create residential proxy services designed to hide a variety of malicious activity like password spraying, web-traffic proxying, and ad fraud.

With more than 70,000 distinct IP addresses from 20 countries communicating with 15 unique second-stage C2s over a 28-day window, and 41,000 nodes categorized as persistently infected, the scale of this multi-year campaign could be worryingly big.

Routers infected with malware

Analysis of the malware confirms that it is written in C, valued for its portability, and targets ARM-embedded devices.

AVrecon first checks for other instances of itself on the host machine, and kills existing processes. Failure to do so will see it remove itself from the machine, likely in a bid to evade detection.

Ultimately, Lumen reckons that the malware is designed to used the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook, likely in a larger advertising fraud effort.

The summary concludes that password spraying and/or data exfiltration may, therefore, be a secondary activity.

The goal looks to be the laundering of malicious activity by using the victim’s bandwidth to create a residential proxy service, which is unlikely to attract the same levels of attention as commercially available VPN services.

Because there’s little impact for end users, unlike crypto-mining which is heavy on resources, Black Lotus Labs says: “it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw.”

Practicing good Internet hygiene is paramount to prevention, which in this case includes regularly rebooting routers and applying firmware updates. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.