Security News > 2023 > July > AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service
More details have emerged about a botnet called AVRecon, which has been observed making use of compromised small office/home office routers as part of a multi-year campaign active since at least May 2021.
AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim's bandwidth for what appears to be an illegal proxy service made available for other actors.
"The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud," the researchers said in the report.
SocksEscort is also said to share overlaps with a Moldovan company named Server Management LLC that offers a mobile VPN solution on the Apple Store called HideIPVPN. Black Lotus Labs told The Hacker News that the new infrastructure it identified in connection with the malware exhibited the same characteristics as the old AVrecon C2s. "We assess that the threat actors were reacting to our publication and null-routing of their infrastructure, and attempting to maintain control over the botnet," the company said.
AVRecon also poses a heightened threat for its ability to spawn a shell on a compromised machine, potentially enabling threat actors to obfuscate their own malicious traffic or retrieve further malware for post-exploitation.
"While these bots are primarily being added to the SocksEscort proxy service, there was embedded functionality within the file to spawn a remote shell," the researchers said.
News URL
https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html
Related news
- Quad7 botnet targets more SOHO and VPN routers, media servers (source)
- Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances (source)
- Chinese botnet infects 260,000 SOHO routers, IP cameras with malware (source)
- Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft (source)