AVrecon Botnet was hidden in the shed for 2 years targeting SOHO Routers.

Small Office/ Home Office (SOHO) Routers were attacked by AVrecon (malware). 70k+ devices from 20 nations were impacted.

Lumen Black Lotus Labs disclosed a hacking campaign targeting the SOHO routers with malware (AVrecon).

May, 2021

The malware was discovered in May, 2021. However, it was hidden for 2 years+.

AVrecon Botnet was hidden in the shed for 2 years targeting SOHO Routers


The Lumen Black Lotus Labs also found out about another multi-year campaign, including victimized routers globally. It was a planned event that could impact SOHO routers by installing malware “Linux-based Remote Access Trojan” (RAT)/ AVrecon.

Adversaries operating this event were preparing to create a botnet for various crimes, including.

  1. Password Spraying and
  2. Digital Advertising Fraud.

For portability, the AVrecon was coded in C and was programmed to target ARM-embedded devices.  Professionals found out that the malicious code had been put together for various reasons.

Process of Infecting

  • For infecting the router, malware enumerates the victim’s SOHO router & transfers that data back to a C2 server whose address is embedded in the code.
  • After that, the infected system starts communicating with a separate set of servers, the so-called second-stage C2 servers.

According to the Black Lotus, AVrecon is one of the most brutal botnet-targeting routers in history. They recognized 41k nodes communicating with 2nd-stage C2s within a 28-day window.

According to the data related to x.509 certificates, we check that some 2nd stage C2s have been active since Oct 2021. We took a snapshot for 28 days straight of 2nd stage servers and observed that 70k distinct IPs were communicating with them.

After investigation, we found hom many devices were impacted, which means they connected with one of the 2nd stage servers for 2-3 days within 28 days windows, and 41k nodes were recognized.

Once we run the AVrecon RAT, malware will test if there are any traces of malware already available on the system. It collects host-based data and creates the parameters of the C2 channel.

Moreover, it checks the traces of already operating malware on the device by searching for existing processes on port 48102 & opening a listener on that port.

Several routers were infected in this campaign from the following nations.

  • The U.K.
  • The U.S.
  • Argentina,
  • Nigeria,
  • Brazil,
  • Italy,
  • Bangladesh,
  • Vietnam,
  • India,
  • Russia, and
  • South Africa.

Adversaries used the impacted devices to click on various FB and Google Ads to interact with Microsoft Outlook. The first event was part of an Ad fraud effort, and the 2nd event was connected to password spraying attacks/ data manipulation.

The attacking method aimed at stealing bandwidth without impacting the end users by creating a residential proxy service to support and mitigate cybercrime and offer access to Tor hidden facilities/ VPN services.

This kind of cyberattack can easily hide their traces and evade detection. Moreover, a crypto-miner user can also face a bit of issues to detect it. It is weaker in front of the Internet-wide brute-forcing and DDoS botnet abuse.

About Us

Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food & Beverage, Entertainment, and many others. Koli established his center of the field in a very amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.


About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?