Posted on July 14, 2023 at 8:43 AM

AVrecon Linux Malware Used To Conduct Campaigns Against 70,000 Linux SOHO Routers

AVrecon, a Linux malware used to steal information from the targeted devices, was used to conduct a hacking campaign against more than 70,000 Linux-based routers. These routers were targeted and added to a botnet that was later used to steal bandwidth and create a hidden residential proxy service that avoids detection from cybersecurity systems.

AVrecon malware used to infect 70,000 Linux routers

Hackers have been exploiting vulnerabilities within Linux-based systems to conduct their hacking exploits. The recently-detected campaign is believed to have started in May 2021, with the hackers behind it using stealth techniques to hide a variety of malicious activities such as digital advertising fraud and password spraying, among others.

The campaign was detected by Lumen’s Black Lotus Labs cybersecurity group, which said that the AVrecon remote access trojan (RAT) has been observed to compromise more than 70,000 devices. Only 40,000 of the affected devices were included in the botnet after the hackers engaged in persistent attacks.

The malware in question has managed to avoid detection, as it was initially detected in May 2021. At the time, the malware was being used to target Netgear routers. The malware remained undetected for more than two years, and it started acquiring new bots. It has since grown to become one of the largest botnets targeting small office/home office (SOHO) routers.

The cybersecurity research team that detected this threat said that the hacker behind the attack largely focused on the type of SOHO devices that the users were not likely to upgrade despite patches being released. Security patches are usually issued to protect devices against common vulnerabilities and exposures.

The researchers further said that “Instead of using this botnet for a quickly payout, the operators maintained a more temperate approach and were able to operate undetected for more than two years. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth.”

After the malware is successful in infecting a device, it will send the information of the compromised router to a command-and-control (C2) server. After creating contact, the targeted device will be instructed to create communication with other servers.

According to Lumen’s Black Lotus threat team, 15 second-stage control servers were already in existence. These servers have been in operation since 2021. This indicates that the extent of damage posed by the attackers could be massive.

The researchers addressed the threat

The security team said that it addressed the threat posed by the AVrecon malware by null-routing the C2 server of this botnet across the backbone network. This process cut the connection between the malicious botnet and the central control server, which affected the capacity of the malware to cause significant harm.

The researchers noted that they had null-routed the C2 nodes and hindered traffic using the proxy servers. This, in turn, resulted in the botnet not spreading within the Lumen ecosystem.

Last month, CISA published a binding operational directive (BOD) that ordered US federal agencies to secure networking equipment exposed to the internet. This equipment included SOHO routers. The equipment needed to be secured within two weeks of the threat being discovered to reduce the possibility of a breach happening.

After these devices have been successfully compromised, they will allow the hackers to add the compromised routers to the attack infrastructure and offer them a launchpad that supports lateral movement within internal networks.

The severity of the threat posed by the malware comes from SOHO routers existing beyond the frameworks of a conventional security perimeter. As such, the ability of a security system to detect any malicious activity will be affected.

These techniques are increasingly being used by hacker groups. Volt Typhoon, a Chinese hacker group, used this technique to target several network equipment while concealing their malicious activity within legitimate network traffic. According to researchers and government agencies, the activity was detected in May.

The Chinese state-sponsored hackers behind the attack used the technique to launch campaigns against critical infrastructure organizations in the US since around mid-2021. However, according to researchers at Lumen Black Lotus Labs, the attacks were different from the direct network targeting that has been observed with other router-based malware.

The researchers have urged defenders to be keen about the malicious activity linked to this campaign because of the techniques used by the hackers to hide their activity. They noted that traffic generated from targeted IP addresses would be used to bypass firewalls and invade the targeted device without being detected.