Threat Research

Routers from the Underground: Exposing AVrecon – Lumen

CTI

Lumen Black Lotus Labs uncovered a multi-year campaign that infected SOHO routers with an ARM-targeted Linux RAT named AVrecon to build a covert residential proxy network used for activities like ad fraud and password spraying. The botnet employed a multi-stage C2 architecture with at least 15 second-stage servers, communicating with over 70,000 distinct IPs (≈41,100 persistent) before Lumen null-routed the C2s. #AVrecon #Lumen

Keypoints

  • AVrecon is a C-written, ARM-focused Remote Access Trojan that targets SOHO routers and was compiled for multiple embedded architectures.
  • On infection the agent checks for other instances, writes/jid.pid, can self-delete, and binds to local port 48102 to prevent duplicates.
  • The malware collects host details (uname, CPU, memory, bin path, hostname) and can spawn a remote shell, download additional binaries, and configure proxies.
  • C2 configuration is read from legitimate router files (nvram, xmldbc) by extracting variables (memasik, domik, urlik, portik) or falls back to /tmp/dnssmasq.pid or embedded defaults.
  • Initial C2 beaconing uses encrypted GET requests (example: GET /lumi/track.php?… Host: utcp[.]cc) and responses instruct redirects to second-stage C2s and ports (e.g., ports 8000, 5178).
  • The agent enters a persistent ping/pong loop with second-stage C2s and follows multi-stage redirects to additional servers for tasking and payload retrieval.
  • Telemetry shows ~15 second-stage nodes, >70,000 distinct IPs contacting them, and ~41,100 devices communicating for two or more days (persistent bots).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to compromise networking devices and stand up actor-controlled infrastructure (‘exploitation of networking devices such as SOHO routers can enable adversaries to stand up actor-controlled infrastructure’).
  • [T1104] Multi-Stage Channels – AVrecon employs tiered command-and-control with first-stage and multiple second-stage servers (’15 unique second stage C2s’).
  • [T1016] System Network Configuration Discovery – The malware enumerates router configuration and device details during initial reconnaissance (‘enumerates the victim’s SOHO router, then sends that information back to the embedded C2 domain’).
  • [T1082] System Information Discovery – AVrecon gathers kernel, CPU, memory, bin path, and hostname information from infected devices (‘gathers host-based information … including the device uname (kernel information), CPU, memory usage, bin path … and hostname’).
  • [T1105] Ingress Tool Transfer – The RAT downloads and executes additional payloads and modules from C2 servers (‘spawn a remote shell to execute commands, download subsequent binaries, and configure a proxy’).
  • [T1070] Indicator Removal on Host – The binary can remove traces and kill existing processes bound to its port to evade detection (‘kills any existing processes that don’t match the current process ID … then moves on to kill any process bound to port 48102’).
  • [T1110] Brute Force – The infrastructure was used to perform credential-focused activity such as password spraying against services (‘we suspect the first activity to be part of an advertising fraud effort, and the second activity is likely password spraying and/or data exfiltration’).
  • [T1018] Remote System Discovery – The botnet’s ability to discover and route traffic through other networked devices supports remote discovery and lateral use (‘this global network of compromised SOHO routers gives cyber criminals the ability to bypass some standard network-based detection tools’).

Indicators of Compromise

  • [Domain] C2 and redirect domains – utcp[.]cc, zerophone[.]cc
  • [IP Addresses] Second-stage and higher-tier C2s – 148.72.155[.]112, 148.72.155[.]189, 139.59.231[.]113, and 51.15.19[.]245
  • [Ports] Communication and local listener ports – 48102 (local agent listener), 8000 and 5178 (second-stage C2 communication)
  • [Files/Variables] Router config and temp files used to store encrypted C2 config – nvram/xmldbc variables (memasik, domik, urlik, portik), /tmp/dnssmasq.pid, jid.pid

AVrecon technical procedure (concise rewrite):

AVrecon is a portable C-based RAT compiled for ARM (and other embedded architectures) that targets SOHO routers. Upon execution it attempts to bind a local listener on port 48102 and writes its PID to /tmp/jid.pid to prevent duplicate instances; if conflicts remain it removes processes bound to that port or self-deletes. The agent enumerates local device state—kernel (uname), CPU, memory, binary path, and hostname—and exposes command handlers that can spawn a remote shell, download additional binaries, and configure proxying for tunneled traffic.

For C2, AVrecon extracts encrypted configuration from legitimate router storage (nvram or xmldbc variables named memasik, domik, urlik, portik) or from /tmp/dnssmasq.pid before falling back to embedded defaults. It issues encrypted HTTP GET beacons (example: GET /lumi/track.php?… Host: utcp[.]cc) to a first-stage C2, receives commands that can update C2 targets, then connects to instructed second-stage servers over specified ports (commonly 8000 or 5178). Once on a second-stage server the agent enters a ping/pong loop (‘ping’/’pong’) and awaits tasking; tasks include ingress tool transfer (downloading modules), proxy configuration, and interactive shell commands to enable activities such as ad-clicking and credential spraying. Telemetry revealed ~15 second-stage nodes, over 70,000 distinct IPs contacting them and ~41,100 devices that communicated persistently (≥2 days), demonstrating a multi-stage, resilient proxying architecture.

Read more: https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/?utm_source=rss&utm_medium=rss&utm_campaign=routers-from-the-underground-exposing-avrecon

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint