Massive AVRecon Botnet Infiltrates 70,000 Devices, Tied to SocksEscort Service

Researchers from Lumen's Black Lotus Labs have uncovered an extensive botnet, AVRecon, which has infiltrated over 70,000 devices in 20 nations. The botnet has targeted small office/home office (SOHO) routers intending to facilitate password spraying attacks, digital advertising fraud and other criminal activities.

The AVRecon malware, written in the C programming language for versatility, targets ARM-embedded devices. The malicious code has been compiled for different architectures, reinforcing the adaptability of this malware.

AVRecon is one of the most significant botnets recently seen that specifically target SOHO routers, with more than 41,000 nodes communicating with second-stage Command and Control (C2) servers over a 28-day span.

"Based on information associated with their x.509 certificates, we assess that some of these second stage C2s have been active since at least October 2021," the researchers noted in their report. The malware initially infects a router that meets its specifications, then starts harvesting data and sending the information back to a C2 server. The address of this server is embedded directly into the malware code. Once this is complete, the malware begins communicating with second-stage C2 servers, 15 of which have been identified so far.

AVRecon undertakes three categories of actions upon compromise of a system: checking for other instances of the malware, collecting host-based information, and establishing parameters for the C2 channel. Interestingly, if AVRecon fails to complete a sequence of steps, it removes itself entirely from the host machine.

AVRecon harvests information such as the device's kernel info, memory usage, CPU usage, bin path where it's running, and hostname. The malware then spawns a remote shell using pre-built functions to execute commands, download subsequent binaries and configure a proxy.

The malware has been observed interacting with various Facebook and Google ads, as well as Microsoft Outlook. The former indicates an advertising fraud attack, while the latter likely pertains to password spraying attacks or data exfiltration attempts.

"The manner of attack seems to focus predominantly on stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services," the researchers concluded.

In a startling revelation, a parallel investigation by Brian Krebs of KrebsOnSecurity and Spur.us has linked the AVRecon botnet to SocksEscort, a 12-year-old service. SocksEscort's operators offer to rent out access to various compromised small business and residential devices. SocksEscort customers install a Windows app to gain access to this pool of more than 10,000 compromised worldwide.

Spur researchers established that AVRecon was used to serve proxies to the SocksEscort service after creating a fingerprint to identify the call-back infrastructure for SocksEscort proxies. The second-stage C2s used by AVRecon were found to point to the same IP addresses labeled for SocksEscort.

Moreover, KrebsOnSecurity linked the malicious proxy network to a Moldovan company, Server Management LLC, which is currently listed as the owner of a free VPN app called HideIPVPN on the Apple Store.