AVRecon botnet

Compromised router, the targets of AVRecon Botnet

2 Mins Read

PUREVPNCompromised router, the targets of AVRecon Botnet

Details have surfaced about the AVRecon botnet, which has been operating since at least May 2021 and uses compromised small office/home office (SOHO) routers. 

malware functionality and embedded capabilities, examining how the remote access trojan interacts with the various C2 servers. Finally, we explore the scope of the botnet’s spread and the activity stemming from it.

Source: Lumen

Lumen Black Lotus Labs disclosed this botnet, revealing that it can 

  • execute various commands and exploit victims’ bandwidth to offer an illegal proxy service to other malicious actors. 

Surpassing QakBot in scale, AVRecon has infected over 41,000 nodes in 20 countries worldwide.

Modus Operandi

According to researchers, malware has created residential proxy services, enabling cybercriminals to conceal their malicious activities, such as password spraying, web-traffic proxying, and ad fraud.

KrebsOnSecurity and Spur.us have provided new findings, establishing a connection between AVRecon and a 12-year-old SocksEscort service. The latter rents compromised residential and small business devices to cyber criminals seeking to mask their accurate online locations. 

Source: Lumen

The link was established through direct correlations between SocksEscort and AVRecon’s command-and-control (C2) servers. Additionally, SocksEscort shares similarities with a Moldovan company named Server Management LLC, which offers a mobile VPN solution called HideIPVPN on the Apple Store.

Threat actors conduct

The actors behind AVRecon have responded to the disclosure and efforts to null-route their infrastructure by trying to maintain control over the botnet. This indicates their intent to further monetize it by continuing to enroll users in the SocksEscort “proxy as a service.”

“Routers and similar edge appliances have become attractive targets for cyberattacks due to their infrequent security patching, lack of support for endpoint detection and response (EDR) solutions, and high bandwidth handling capabilities.”

The AVRecon botnet also poses a significant threat because it can spawn a shell on compromised machines, potentially allowing threat actors to obfuscate their malicious traffic or install additional malware for post-exploitation purposes.

Retrospective approach

Researchers recommend that managed security providers investigate devices in their networks for signs of compromise, while home router owners should power-cycle their devices as a precautionary measure.

Cyber security is a challenge; either you accept it or be a victim!

author

PureVPN

date

August 1, 2023

time

3 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Have Your Say!!