Security News > 2023 > July > AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service

More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office routers as part of a multi-year campaign active since at least May 2021.

AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim's bandwidth for what appears to be an illegal proxy service made available for other actors.

"The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud," the researchers said in the report.

SocksEscort is also said to share overlaps with a Moldovan company named Server Management LLC that offers a mobile VPN solution on the Apple Store called HideIPVPN. Black Lotus Labs told The Hacker News that the new infrastructure it identified in connection with the malware exhibited the same characteristics as the old AVrecon C2s. "We assess that the threat actors were reacting to our publication and null-routing of their infrastructure, and attempting to maintain control over the botnet," the company said.

AVRecon also poses a heightened threat for its ability to spawn a shell on a compromised machine, potentially enabling threat actors to obfuscate their own malicious traffic or retrieve further malware for post-exploitation.

"While these bots are primarily being added to the SocksEscort proxy service, there was embedded functionality within the file to spawn a remote shell," the researchers said.

News URL

https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html