Experts Link AVRecon Bot to the Malware Proxy Service SocksEscort

Cyber Security Threat Summary:
In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet, which targeted small office/home office (SOHO) routers and infected over 70,000 devices across 20 countries. The threat actors behind the campaign aimed to build a botnet for various criminal activities, including password spraying and digital advertising fraud. The AVrecon malware was written in C for portability and designed to target ARM-embedded devices, with different versions compiled for various architectures. Once a router was infected, the malware collected information about the victim's SOHO router and sent it back to a command-and-control (C2) server. Then, the infected system interacted with second-stage C2 servers.

The researchers found that AVrecon was one of the largest botnets targeting SOHO routers in recent history, with 41,000 nodes communicating with second-stage C2s within a 28-day window. Some of these C2s had been active since at least October 2021. Most of the infected routers were in the U.K. and the U.S., followed by several other countries. Further investigation by Brian Krebs and Spur.us revealed that AVRecon was the underlying malware engine powering the long-standing service known as SocksEscort. SocksEscort operated as a SOCKS proxy service, permitting Internet users to reroute their web traffic through compromised residential and small business devices without the owners' knowledge. This covert approach masked the true source of the traffic, making it appear as if it originated directly from the infected devices rather than from the proxy service itself.

Customers of SocksEscort had to install a Windows-based application to access a pool of over 10,000 hacked devices worldwide. The researchers from Spur were able to identify the call-back infrastructure for SocksEscort proxies and found that the same second-stage C2s identified by Lumen Black Lotus Labs were used to serve proxies to the SocksEscort service.

Security Officer Comments:
The detection of threats like the AVRecon botnet raises significant concerns for organizations with remote or work-from-home employees. Many employees might lack the necessary knowledge and awareness to effectively secure their home networks, leaving them susceptible to such attacks. This vulnerability becomes even more critical when threat actors specifically target home networks to gain unauthorized access to corporate resources using VPN or similar remote connectivity methods.

If a threat actor gains access to a compromised home network, they can potentially exploit valuable data or information. This could include sensitive credentials like passwords, usernames, and authentication methods that employees use to connect from their home offices to work-related services and infrastructure. According to BlackLotus's research, the threat actors behind the AVRecon botnet not only engaged in advertising fraud by clicking on Facebook and Google ads through the infected machines but also conducted password spraying attacks and data exfiltration. Specifically, they targeted interactions with Microsoft Outlook to carry out these malicious activities.

Suggested Correction(s):
In light of these findings, organizations must prioritize educating their remote employees about the importance of securing their home networks and being vigilant about potential signs of compromise. Implementing robust security measures, such as multi-factor authentication and regular network monitoring, can significantly reduce the risk of such threats infiltrating corporate resources through vulnerable remote connections. By taking proactive steps to enhance remote security awareness and measures, organizations can better protect their sensitive data and ensure a safer working environment for their employees.

Link(s):
https://securityaffairs.com/149007/hacking/avrecon-bot-socksescort.html