AVRecon Botnet Exploits Compromised Routers for Illegal Proxy Services: The AVRecon botnet has raised security concerns as it utilizes compromised small office/home office (SOHO) routers in a long-running campaign dating back to May 2021.
Recent revelations show that AVRecon is involved in illegal proxy services, concealing malicious activities like password spraying, web-traffic proxying, and ad fraud.
This news item sheds light on the scale and potential impact of this botnet, which has surpassed QakBot in size, infecting over 41,000 nodes across 20 countries globally.
Key Takeaways on AVRecon Botnet Exploits Compromised Routers:
Table of Contents
- AVRecon botnet exploits compromised routers for illegal proxy services.
- The botnet’s malicious activities include password spraying, web-traffic proxying, and ad fraud.
- Managed security providers and home users are urged to investigate and secure their devices against potential threats.
The AVRecon Botnet’s Exploits
The AVRecon botnet has come into the spotlight as it leverages compromised SOHO routers in an extensive campaign that began in May 2021.
Identified as malware capable of executing additional commands and stealing victims’ bandwidth, AVRecon is now found to be facilitating an illegal proxy service, catering to other malicious actors. Its global reach spans over 41,000 nodes spread across 20 countries.
Malicious Proxy Services and Connections
Researchers have linked AVRecon to the creation of residential proxy services, which cloak harmful activities, including password spraying, web-traffic proxying, and ad fraud.
Further investigations revealed a connection between AVRecon’s command-and-control (C2) servers and a long-standing service named SocksEscort.
The latter is a 12-year-old service renting hacked residential and small business devices to cyber criminals seeking to obscure their true online locations.
Maintaining Control and Monetization
Following the disclosure of AVRecon by Black Lotus Labs, the botnet’s operators appeared to react by establishing new infrastructure.
This move suggests their intent to retain control over the botnet and continue enrolling users in the SocksEscort proxy service. The operators seek to further monetize the botnet and maintain access to its malicious activities.
A Threat Amplified: Router Vulnerabilities
The use of routers and other edge appliances as attack vectors has surged due to their vulnerability.
Such devices are often inadequately patched against security flaws, lack support for endpoint detection and response (EDR) solutions, and are designed for handling higher bandwidths.
AVRecon poses a heightened threat by enabling the spawning of a shell on compromised machines, providing threat actors with an opportunity to obfuscate their malicious traffic or deploy additional modules for post-exploitation.
Mitigating the Threat
Given AVRecon’s potential for further damage, managed security providers are advised to investigate and secure devices within their networks. Home users are also urged to take precautionary measures by power-cycling their devices to reduce potential risks.
Conclusion
The discovery of the AVRecon botnet’s involvement in illegal proxy services raises alarms about the scope and impact of this cyber threat.
Prompt action by security providers and users alike is crucial in mitigating the risks posed by compromised routers and protecting against malicious activities facilitated by the botnet.
About Lumen Black Lotus Labs:
Lumen Black Lotus Labs is a renowned cybersecurity firm focused on analyzing and addressing emerging cyber threats. Their expertise plays a vital role in identifying and combating complex botnets like AVRecon, contributing to a safer digital environment.
