Routers From The Underground: Exposing AVrecon
July 12, 2023
Lumen Black Lotus Labs® identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.” Apart from a single reference to AVrecon in May 2021, the malware has been operating undetected for more than two years. Black Lotus labs performed an extensive analysis documenting the malware functionality, its size, and how it fits into the cybercrime ecosystem.We assess the purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth. This assessment is based on observed telemetry and the analysis of functionality in the binary that allows the actor to interact with a remote shell and deploy subsequent binaries. Using Lumen’s global network visibility, Black Lotus Labs has determined the composition of a network that has infiltrated more than 70,000 machines, gaining a persistent hold in more than 40,000 IPs in more than 20 countries. The use of encryption prevents us from commenting on the results of successful password spraying attempts; however, we have null-routed the command and control (C2) nodes and impeded traffic through the proxy servers, which rendered the botnet inert across the Lumen backbone.
Routers From The Underground: Exposing AVrecon
