Senior security researcher Ye (Seth) Jin, from Kaspersky Labs, first tweeted about AVrecon in May of 2021. This sophisticated malware has now successfully infiltrated more than 70,000 devices, creating a massive botnet with 40,000 nodes spread across 20 countries. The emergence of AVrecon marks the third such strain targeting SOHO routers, following the tracks of ZuoRAT and HiatusRAT in the past year.
Lumen Black Lotus Labs has labeled AVrecon as one of the largest botnets designed to target SOHO routers. According to Lumen Black Lotus Labs, this malicious campaign aims to establish a covert network, enabling a wide range of criminal activities including password spraying and digital advertising fraud. The sheer scale of infections is primarily concentrated in the United Kingdom and the United States, with notable presence in countries such as Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa.
Lumen Black Lotus Labs has provided insights into the attack chain employed by AVrecon. The initial phase involves infecting a target system and extracting relevant information/data about the victim’s SOHO router. That information/data is then transmitted back to an embedded command-and-control (C2) server. To ensure the system isn’t compromised by other malware strains, AVrecon searches for existing processes on port 48102 and terminates any process bound to that port. Once infected, the compromised system establishes communication with a separate server, known as the secondary C2 server, awaiting further commands. Researchers have identified 15 unique servers that have been active since at least October 2021. This is indicative a sophisticated infrastructure supporting the botnet’s operations.
AVrecon, written in C, possesses the capability to be easily adapted for different system architectures. These attacks exploit the inherent vulnerabilities of edge infrastructure, which often lacks robust security solutions. This factor contributes significantly to the success of AVrecon and similar threats.
Evidence gathered suggests that AVrecon serves a dual purpose. The malware is involved in clicking on various Facebook and Google ads, while also interacting with Microsoft Outlook. This indicates a two-pronged effort to engage in advertising fraud and data exfiltration. The attackers establish a residential proxy service to facilitate the laundering of malicious activities by covertly stealing bandwidth without impacting end-users. This strategy allows them to avoid drawing attention from Tor-hidden services and commercially available VPN services.
AVrecon poses a threat to small office/home office (SOHO) routers worldwide. As the malware targets vulnerable edge infrastructure, it is important for individuals and businesses to prioritize security solutions that safeguard against such sophisticated threats. The discovery of AVrecon serves as a wake-up call, emphasizing the ongoing battle between cybercriminals and cybersecurity experts to protect digital ecosystems.