AVRecon

AVrecon malware is distributed by scanning for, identifying, and targeting Internet-connected devices with exposed vulnerable services.

Operation Lightning dismantled SocksEscort in March, which ran on hijacked SOHO routers via the AVRecon botnet.

the Dutch National Police and the National Cyber Security Center announced they had taken down a large-scale botnet that had compromised roughly 17 million devices globally - computers, smartphones, and tablets - all funneled through approximately 200 servers physically hosted inside the Netherlands.

SocksEscort utilized malware, identified as AVrecon, to infect home and small business routers, including devices from brands like Cisco, D-Link, and Netgear.

SocksEscort threat actors have exploited known vulnerabilities in various routers and IOT devices to gain access to the devices and install AVrecon malware.

Once installed, AVrecon could establish a remote shell connection to attacker-controlled servers and download additional malicious payloads.

The malware primarily affected small office and home office routers by exploiting security vulnerabilities such as remote code execution and command injection flaws.

In some cases, threat actors utilize a device’s built-in update features to flash the device with a custom firmware image. This custom firmware contains a copy of AVrecon and is hardcoded to execute AVrecon on device startup.

The malware also modified device firmware to ensure it executed automatically whenever the device restarted, while disabling normal update mechanisms to keep the infection persistent.

The compromised devices were infected through a vulnerability in the residential modems of a specific brand.

The malware also modified device firmware to ensure it executed automatically whenever the device restarted, while disabling normal update mechanisms to keep the infection persistent.

In some cases, threat actors utilize a device’s built-in update features to flash the device with a custom firmware image. This custom firmware contains a copy of AVrecon and is hardcoded to execute AVrecon on device startup.

Threat actors behind the campaign aimed at building a botnet to use for a range of criminal activities, from password spraying to digital advertising fraud.

Infected routers have been observed communicating with SocksEscort C2 servers over port 8080 and 8000.

The service functioned by infecting internet routers with malware that redirected traffic through the compromised devices without the owners’ knowledge. By tunneling traffic through ordinary household connections, cybercriminals could blend malicious activity with legitimate internet usage, making detection more difficult.

The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.

AVrecon malware prompts the infected device to communicate with its designated C2 server over port 8000 every 60 seconds using a custom loop in which AVrecon and the C2 server exchange the words “PING” and “PONG” until the C2 has a command for AVrecon to execute.

Once installed, AVrecon could establish a remote shell connection to attacker-controlled servers and download additional malicious payloads.

This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.”

This infrastructure was used to conceal the true IP addresses of criminals, enabling them to conduct fraudulent activities.

"SocksEscort was used to facilitate ransomware, distributed denial of service (DDoS) attacks"

The malware also modified device firmware to ensure it executed automatically whenever the device restarted, while disabling normal update mechanisms to keep the infection persistent.