Scroll Top

AVrecon malware creates large-scale SOHO router Botnet, affecting 70,000 devices across 20 countries


A newly discovered malware strain, named AVrecon, has been targeting small office/home office (SOHO) routers covertly for over two years. This sophisticated malware has infected more than 70,000 devices, establishing a botnet with 40,000 nodes spanning across 20 countries. Lumen Black Lotus Labs, the cybersecurity firm that uncovered the threat, highlighted that AVrecon is the third malware strain of its kind, following ZuoRAT and HiatusRAT, which specifically target SOHO routers.

The Purpose of the Botnet: According to Lumen, AVrecon aims to create a hidden network capable of facilitating various criminal activities, ranging from password spraying to digital advertising fraud. This extensive botnet represents one of the largest ever observed targeting SOHO routers, underscoring the scale and severity of the threat.

Geographical Impact: The majority of infections are concentrated in the United Kingdom and the United States. However, other affected countries include Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, South Africa, and more. Remarkably, AVrecon managed to evade detection until now, despite being initially brought to attention by Kaspersky senior security researcher Ye (Seth) Jin in May 2021.

Attack Chain and Functionality: Lumen outlined the attack chain employed by AVrecon. After successfully infecting a device, the malware enumerates the victim’s SOHO router and exfiltrates the gathered information to an embedded command-and-control (C2) server. It then checks for existing instances of malware by scanning for processes on port 48102, terminating any process found. Subsequently, the compromised system establishes contact with a separate server, known as the secondary C2 server, to await further instructions. Lumen identified 15 unique servers that have been active since at least October 2021.

Notable Characteristics: AVrecon is written in the C programming language, which allows for easy porting of the malware to different architectures. The malware takes advantage of the lack of security support typically found in edge infrastructure, which contributes to the success of such attacks.

Objectives and Activities: Available evidence suggests that the botnet primarily engages in clicking on various Facebook and Google ads, as well as interacting with Microsoft Outlook. This indicates a dual-purpose operation involving advertising fraud and data exfiltration. The researchers further explained that AVrecon appears to focus on stealing bandwidth without directly impacting end-users, creating a residential proxy service that enables money laundering of malicious activities while evading detection from Tor-hidden services or commercially available VPN services.

The discovery of AVrecon underscores the importance of robust security measures for SOHO routers and serves as a reminder for individuals and organizations to implement strong network defenses to mitigate the risk of such botnet attacks.

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.