Cyber Security Threat Summary:
”A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year. ‘This makes AVrecon one of the largest SOHO router-targeting botnets ever seen,’ the company said. ‘The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud.’ A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others” (The Hacker News, 2023).

Although AVrecon was first highlighted by a researcher on Twitter in May 2021, it has grown to surpass Qbot in scale, all while remaining undetected. In the activity observed by researchers at Lumen Black Lotus Labs, AVrecon has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud.

Security Officer Comments:
Although the initial infection vector is unclear, upon successful infection, AVrecon will enumerate the victim’s SOHO router and send back the information (e.g. hostname, CPU, memory usage, etc) to an attacker-controlled C2 domain. It will also check for instances of other malware running on the system by searching for existing processes on port 48102 and opening a listener on that port. If found, AVrecon will terminate the existing process.

“The next stage involves the compromised system establishing contact with a separate server, called the secondary C2 server, to await further commands. Lumen said it identified 15 such unique servers that have been active since at least October 2021. It's worth noting that tiered C2 infrastructure is prevalent among notorious botnets like Emotet and QakBot” (The Hacker News, 2023).

Based on observations made so far, researchers note that the botnet is being further used to click on Facebook and Google ads and interact with Microsoft Outlook, which indicates an effort on the actors’ end to conduct advertising fraud and data exfiltration.

Suggested Correction(s):
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminal will continue to target the ever growing IoT device market.

If IoT devices must be used, users should consider segmenting them from sensitive networks.

Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.

Link(s):
https://thehackernews.com/2023/07/new-soho-router-botnet-avrecon-spreads.html