More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021.
AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim's bandwidth for what appears to be an illegal proxy service made available for other actors. It has also surpassed QakBot in terms of scale, having infiltrated over 41,000 nodes located across 20 countries worldwide.
"The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud," the researchers said in the report.
This has been corroborated by new findings from KrebsOnSecurity and Spur.us, which last week revealed that "AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online."
The basis for the connection stems from direct correlations between SocksEscort and AVRecon's command-and-control (C2) servers. SocksEscort is also said to share overlaps with a Moldovan company named Server Management LLC that offers a mobile VPN solution on the Apple Store called HideIPVPN.
Black Lotus Labs told The Hacker News that the new infrastructure it identified in connection with the malware exhibited the same characteristics as the old AVrecon C2s.
|The new SocksEscort nodes, which shifted during the second week of July (Source: Lumen Black Lotus Labs)|
"We assess that the threat actors were reacting to our publication and null-routing their infrastructure, and attempting to maintain control over the botnet," the company said. "This suggests the actors wish to further monetize the botnet by maintaining some access and continue enrolling users in the SocksEscort 'proxy as a service.'"
Routers and other edge appliances have become lucrative attack vectors in recent years owing to the fact that such devices are infrequently patched against security issues, may not support endpoint detection and response (EDR) solutions, and are designed to handle higher bandwidths.
AVRecon also poses a heightened threat for its ability to spawn a shell on a compromised machine, potentially enabling threat actors to obfuscate their own malicious traffic or retrieve further malware for post-exploitation.
"While these bots are primarily being added to the SocksEscort proxy service, there was embedded functionality within the file to spawn a remote shell," the researchers said.
"This could allow the threat actor the ability to deploy additional modules, so we suggest that managed security providers attempt to investigate these devices in their networks, while home users should power-cycle their devices."