Security researchers at Lumen Black Lotus Labs have uncovered a Linux-based Remote Access Trojan that has been infecting small-office/home-office (SOHO) routers virtually undetected for a period spanning more than two years.
Briefly referenced in May 2021, the trojan which is being referred to as AVrecon has been used to create residential proxy services designed to hide a variety of malicious activity like password spraying, web-traffic proxying, and ad fraud.
With more than 70,000 distinct IP addresses from 20 countries communicating with 15 unique second-stage C2s over a 28-day window, and 41,000 nodes categorized as persistently infected, the scale of this multi-year campaign could be worryingly big.
Routers infected with malware
AVrecon first checks for other instances of itself on the host machine, and kills existing processes. Failure to do so will see it remove itself from the machine, likely in a bid to evade detection.
Ultimately, Lumen reckons that the malware is designed to used the infected machines to click on various Facebook and Google ads, and to interact with Microsoft Outlook, likely in a larger advertising fraud effort.
The summary concludes that password spraying and/or data exfiltration may, therefore, be a secondary activity.
The goal looks to be the laundering of malicious activity by using the victim’s bandwidth to create a residential proxy service, which is unlikely to attract the same levels of attention as commercially available VPN services.
Because there’s little impact for end users, unlike crypto-mining which is heavy on resources, Black Lotus Labs says: “it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw.”
Practicing good Internet hygiene is paramount to prevention, which in this case includes regularly rebooting routers and applying firmware updates.