70K Home Routers Form Botnet, Steal Owners’ Bandwidth

More than 70 thousand home routers based on Linux have been infected with a secretly malicious program called Avrecon, which is used to steal bandwidth and create a hidden resident proxy service. This was reported by the Black Lotus LaBS Lumen. [source]

This proxy service allows attackers to conceal various harmful actions, ranging from digital advertising fraud to password theft.

Researchers have discovered that the Avrecon malware, a Trojan with remote access (RAT), was first detected in May 2021 when it targeted Netgear routers. Since then, it has gone unnoticed for over two years, gradually infecting new devices and becoming one of the largest botnets targeting home routers.

“We believe that the attackers targeted home devices that are less likely to be purposefully updated by users,” stated Black Lotus Labs.

“Instead of immediately exploiting this botnet for quick gains, the operators took a more restrained approach and were able to operate unnoticed for more than two years. Due to the oblivious nature of the owners of infected machines, they rarely notice any service disruptions or loss of bandwidth.”

Once infected, the malware sends information about the compromised router to the built-in C2 server. Subsequently, the infected device receives instructions to establish a connection with a group of independent servers known as second-level C2 servers.

Security researchers have identified 15 such second-level C2 servers, some of which have been operational since October 2021.

The Black Lotus team also targeted AvreCon, rerouting the Botnet C2 server into their main network. By doing so, they severed the connection between the network of devices connected to the botnet and its central control server, significantly hampering the network’s ability to carry out malicious activities.

“Due to the use of encryption, we are unable to comment on the success of password theft attempts. However, we have blocked the C2 servers and prevented traffic through proxy servers, rendering the Botnet inert across the Lumen network,” said Black Lotus Labs.

This threat is particularly concerning as home routers are typically outside the traditional security perimeter, making it challenging for researchers to detect malicious activities.

Previously, the Chinese cyber espionage group Volt Typhoon employed a similar tactic of creating a hidden proxy network using ASUS, Cisco, D-Link, Netgear, Fatpipe, and Zyxel routers to conceal their malicious activities within legitimate network traffic.

/Reports, release notes, official announcements.