A new malware, dubbed AVrecon, has been found conducting stealthy attacks against vulnerable Small Office/Home Office (SOHO) routers in an attempt to build an army of botnets. The attacks have been active for more than two years, with the malware infiltrating around 70,000 devices from across 20 countries.
The development comes a few weeks after the CISA issued an advisory to warn federal agencies about the risks associated with misconfigured networking equipment.
What does the finding say?
According to Lumen Black Lotus labs, AVrecon is the third such malware strain after ZuroRAT and HiatusRAT to focus on SOHO routers. In 2021, the malware managed to evade detection by targeting Netgear routers. Eventually, it shifted to SOHO routers to build new bots and launch a range of attacks such as password spraying and digital advertising frauds.
Some evidence from the current campaign revealed that the infected machines were used to click on various Facebook and Google ads and to interact with Microsoft Outlook.
A majority of these infections were located in the U.K and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa.
Modus operandi
Upon infection, threat actors enumerated the victims’ routers and sent information back to an embedded C2 server.
From there, the infected system is ordered to begin interaction with a separate set of servers called second-stage servers.
Researchers claimed that around 15 such second-stage control servers based on x.509 certificate information, were found to be in operation since October 2021.
The AVrecon malware is deployed in the later stage of infection to gather host-based information and target ARM-embedded devices.
The malware is written C language, enabling it to easily port across different architectures.
Conclusion
The severity of this threat stems from the fact that SOHO routers used across organizations and homes are not patched properly. Attackers are taking advantage of such security lapses to breach critical infrastructures or launch DDoS attacks. Therefore, organizations must take the requisite steps to fix the vulnerabilities in networking equipment.