AVrecon, a stealthy Linux virus, has infected over 70,000 Linux-based small office/home office (SOHO) routers since May 2021, creating a botnet aimed at stealing bandwidth and operating a covert residential proxy service. This botnet enables threat actors to engage in various illegal activities, including digital advertising fraud and password spraying. Despite its initial detection in May 2021, AVrecon effectively evaded detection for over two years and has become one of the largest SOHO router-targeting botnets. By targeting SOHO systems, which are less likely to receive regular security patches, the operators maintained a low profile without causing significant disruptions to infected users' services or bandwidth.
AVrecon is developed in C, making it highly portable and adaptable to various architectures, particularly ARM-embedded devices. After infection, the malware performs three main tasks: searching for other instances of itself on the host computer, collecting host-based data, and establishing parameters for the command-and-control (C2) channel. To prevent monitoring of successful password spraying attempts, AVrecon encrypts all communication with its C2 servers. Lumen's Black Lotus Labs null-routed the botnet's C2 servers, severing the connection between the malicious botnet and its central control server, effectively impeding its harmful operations.
Impact and Targets:
AVrecon has infected over 70,000 SOHO routers, gaining persistence on 40,000 of them while operating unnoticed for more than two years. Since SOHO routers often operate outside the traditional security perimeter, it is challenging for defenders to detect malicious activity, making them prime targets for the virus. By using compromised routers as a launching point for lateral movement into internal networks, threat actors can carry out various malicious actions while appearing to originate from a residential IP address in another country, evading geofencing and ASN-based filtering.
Similar Techniques and Warnings:
AVrecon's threat level is comparable to the tactics used by the Chinese cyberespionage group Volt Typhoon, which established a covert proxy network using stolen SOHO network hardware to conceal their malicious activities within legitimate network traffic. In response to potential hack attempts, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operational directive (BOD), instructing US federal entities to secure Internet-exposed networking equipment, including SOHO routers, within 14 days of discovery.
Defenders should be vigilant for attacks originating from suspicious login attempts and weak credentials coming from residential IP addresses, as traffic from compromised IP addresses can bypass firewall policies like geofencing and ASN-based blocking. For home users, timely security updates and routine router reboots are crucial to avoid infection and reduce vulnerability to malware attacks.