Botnet of 70,000 home routers steals network bandwidth from its owners

More than 70 thousand home routers based on linux infected with stealthy AVrecon malware, which is used to steal bandwidth and create a hidden residential proxy service. It allows attackers to hide a wide range of malicious activities, from digital ad fraud to password guessing. About the spread of the threat informed cyber security team Black Lotus Labs companies Lumen.

According to the researchers, the AVrecon malware, which is a remote access trojan (RAT), was discovered back in May 2021, when it attacked routers Netgear. Since then, the Trojan has remained undetected for more than two years, gradually taking over new devices and becoming one of the largest botnets targeting home routers.

“We believe the attackers have focused on those home devices that users are less likely to purposefully update,” Black Lotus Labs said.

“Instead of using this botnet for quick gains, operators maintained a more low-profile approach and were able to operate undetected for more than two years. Due to the stealthy nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth,” the researchers added.

Once infected, the malware sends information about the compromised router to C2 server hackers. The infected device is then instructed to communicate with an independent group of servers known as second-level C2 servers.

Security researchers have identified 15 such second-tier C2 servers, some of which have been operational since at least October 2021.​

The Black Lotus team also managed to hit AVrecon by nullifying the botnet’s C2 server routing on their backbone network. This effectively severed communications between the botnet’s network of connected devices and its central command and control server, significantly weakening the botnet’s ability to perform malicious activities.

“Using encryption does not allow us to comment on the results of successful password guessing attempts, however, we blocked C2 nodes and interfered with traffic through proxy servers, which made the botnet inert throughout the Lumen backbone,” said Black Lotus Labs.

The severity of this threat lies in the fact that home routers are usually outside the traditional security perimeter, greatly reducing the ability of researchers to detect malicious activity.

The Chinese cyber-espionage group Volt Typhoon previously used a similar tactic to create a hidden proxy network of hacked network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel to hide their malicious activity within legitimate network traffic.

A hidden proxy network has been used by Chinese hackers to attack critical infrastructure organizations across the US since at least mid-2021.

“Security professionals should be aware that such malicious activity may come from what appears to be a resident IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geo-fenced blocking and blocking based on ASN,” warned the director of threat intelligence at Black Lotus Labs.

And for ordinary home users, the easiest recommendation would be to regularly update the software of your router. If doing it manually is inconvenient, you can purchase a more modern model with an auto-update function so that you don’t have to worry about the security and bandwidth of your network once again.