Unmasking AVrecon: The Stealthy Malware Infiltrating Global Routers – Lumen Report

Lumen Technologies, formerly known as CenturyLink, is a global technology company that provides a wide range of services, including communications, network services, security, cloud solutions, voice, and managed services. The company aims to deliver secure platform for applications and data to help businesses, government, and communities deliver amazing experiences.

Leveraging its extensive global fiber network, Lumen’s technology platform connects and secures public and private networks, edge to core cloud, and collaborates environments. The company is committed to helping its customers capitalize on emerging technologies, such as edge computing, artificial intelligence, machine learning, and more, to drive digital innovation. As of my knowledge cutoff in September 2021, Lumen Technologies is headquartered in Monroe, Louisiana.

In a recent blog post by Lumen’s Black Lotus Labs, they reveal a multi-year campaign involving compromised routers worldwide. The operation, which has been running undetected for over two years, involves the infection of small-office/home-office (SOHO) routers with a Linux-based Remote Access Trojan (RAT) named “AVrecon”.

The purpose of this campaign appears to be the creation of a covert network to facilitate various criminal activities, from password spraying to digital advertising fraud. The malware is so stealthy that the owners of the infected machines rarely notice any disruption of service or loss of bandwidth.

Black Lotus Labs’ analysis shows that the malware has infiltrated over 70,000 machines, maintaining a persistent hold on more than 40,000 IPs in over 20 countries. The malware’s success is attributed to its focus on networking equipment that lacks standard endpoint detection and response solutions, and the operators’ temperate approach, which has allowed them to operate undetected for an extended period.

The blog post provides a detailed analysis of the malware’s functionality, the scope of the botnet’s spread, and the activities stemming from it. It also offers advice for corporate network defenders and consumers with SOHO routers on how to protect themselves from such threats.

To learn more about this operation and the steps taken by Black Lotus Labs to counter it, read the full article here.