uTalk

thrive

Member

Registered: 2023-01-04

Posts: 2,007

The AVRecon Botnet is using compromised routers to power illegal proxy

More information has become available about the AVRecon botnet, which has been seen using compromised SOHO routers as part of a multi-year campaign that has been going on since at least May 2021.

The malware known as AVRecon was first made public by Lumen Black Lotus Labs earlier this month. It is capable of running additional commands and stealing victims' bandwidth for what appears to be an illicit proxy service used by other actors. Additionally, it has outperformed QakBot in terms of scope, having compromised over 41,000 nodes spread across 20 different nations.

The malware has been used to build residential proxy services to hide illegal activity like password spraying, web traffic proxies, and ad fraud, according to the researchers' report.

This has been confirmed by recent research from KrebsOnSecurity and Spur . us, which last week revealed that "AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to conceal their true location online. ".

Direct similarities between SocksEscort and the command-and-control (C2) servers of AVRecon serve as the foundation for the connection. According to reports, SocksEscort and Server Management LLC, a Moldovan firm, both offer mobile VPN services under the brand name HideIPVPN on the Apple Store.

The new infrastructure Black Lotus Labs discovered in connection with the malware exhibited the same traits as the previous AVrecon C2s, the company told The Hacker News.

Botnet called AVRecon.
The newly relocated SocksEscort nodes (Source: Lumen Black Lotus Labs), which took place during the second week of July.
The threat actors, according to the company's assessment, were attempting to maintain control over the botnet by null-routing their infrastructure in response to the publication. "This suggests the actors want to continue monetizing the botnet by maintaining some access and signing up users for the SocksEscort 'proxy as a service. '".

Due to the fact that routers and other edge appliances are frequently vulnerable to security flaws, they may not support endpoint detection and response (EDR) solutions, and they are built to handle higher bandwidths, they have recently become lucrative attack vectors.

Additionally, AVRecon poses a greater risk because of its capacity to launch a shell on a compromised system, giving threat actors the opportunity to obfuscate their own malicious traffic or collect additional malware for further post-exploitation.

The ability to spawn a remote shell was embedded in the file, the researchers said, even though the SocksEscort proxy service is where the majority of these bots are added.

"This could give the threat actor the ability to deploy additional modules, so we suggest that managed security providers try to look into these devices in their networks, while home users should power-cycle their devices. ".