Linux malware infects 70,000 routers

July 31, 2023 - TuxCare PR Team

A stealthy Linux malware called AVrecon has been used to infect over 70,000 Linux-based small office/home office (SOHO) routers, according to a report by Lumen’s Black Lotus Labs threat research team.

The malware, which was first spotted in May 2021, is designed to steal bandwidth and provide a hidden residential proxy service. This allows its operators to hide a wide spectrum of malicious activities, from digital advertising fraud to password spraying.

The malware has largely managed to evade detection since it was first spotted. This is because it targets SOHO routers that are often not patched against common vulnerabilities. Additionally, the malware is very stealthy, and owners of infected machines rarely notice any service disruption or loss of bandwidth.

Once infected, the malware sends the compromised router’s information to an embedded command-and-control (C2) server. After making contact, the hacked machine is instructed to establish communication with an independent group of servers, known as second-stage C2 servers.

The security researchers found 15 such second-stage control servers, which have been operational since at least October 2021.

Lumen’s Black Lotus security team also addressed the AVrecon threat by null-routing the botnet’s command-and-control (C2) server across their backbone network. This effectively severed the connection between the malicious botnet and its central control server, significantly impeding its capacity to execute harmful activities.

The severity of this threat stems from the fact that SOHO routers typically reside beyond the confines of the conventional security perimeter, greatly diminishing defenders’ ability to detect malicious activities.

The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel SOHO network equipment to hide their malicious activity within legitimate network traffic.

“Threat actors are using AVrecon to proxy traffic and to engage in malicious activity like password spraying,” says Michelle Lee, threat intelligence director of Lumen Black Lotus Labs. “This is different from the direct network targeting we saw with our other router-based malware discoveries.”

“Defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking.”

The sources for this piece include an article in BleepingComputer.

Summary