Researchers have recently discovered a two-year-old Linux-based remote access trojan (RAT) called AVrecon that has been enslaving Internet routers into a botnet. This botnet is used to carry out fraudulent activities such as bilking online advertisers and launching password-spraying attacks. However, new findings now reveal that AVrecon is also the malware engine behind a 12-year-old service called SocksEscort, which provides hacked residential and small business devices to cybercriminals looking to hide their true location online.
According to a report released by Lumen’s Black Lotus Labs on July 12, the AVrecon botnet is described as “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history.” The botnet has been able to operate under the radar since it was first identified in mid-2021. The malware has been primarily used to create residential proxy services that conceal malicious activities such as password spraying, web-traffic proxying, and ad fraud.
Malware-based anonymity networks pose a significant threat to online retailers, internet service providers (ISPs), social networks, email providers, and financial institutions. These networks are often marketed to cybercriminals who want to anonymize their traffic by routing it through infected devices such as PCs, routers, or mobile devices. While proxy services can be legitimately used for business purposes like price comparisons or sales intelligence, they are frequently abused to conceal cybercriminal activities, making it challenging to trace malicious traffic back to its source.
One of the proxy services mentioned in the report, SocksEscort, is a SOCKS Proxy service that allows users to tunnel their web traffic through a proxy server. This makes their online activity appear as if it is originating from a rented or malware-infected PC associated with a residential ISP customer, rather than the proxy service user. The SocksEscort service offers its customers the ability to access a pool of over 10,000 hacked devices worldwide. Users are required to install a Windows-based application to utilize the service.
Spur.us, a startup that tracks proxy services, confirmed that the Internet addresses flagged by Lumen as the AVrecon botnet’s command and control servers linked back to SocksEscort. Spur tracks SocksEscort as a malware-based proxy offering, indicating that the devices used to proxy traffic for SocksEscort have been infected with malicious software, turning them into traffic relays without the knowledge of their owners.
The purpose of AVrecon, as identified by Lumen’s research team, is to steal bandwidth to create a residential proxy service that helps launder malicious activity and avoid drawing attention from Tor-hidden services or commercially available VPN services. The researchers noted that AVrecon’s activities are more likely to go undetected compared to other forms of cybercrime activity.
In July 2022, the world’s largest known malware proxy network, 911S5, was hacked and shut down. This led to concerns about maintaining bandwidth for both customers and victims. SocksEscort closed its registration for several months following the incident to prevent an influx of new users overwhelming the service.
Despite the extensive research conducted on AVrecon and SocksEscort, researchers have not been able to determine how the SOHO devices are being infected with the AVrecon malware. Potential avenues of infection include exploiting weak or default administrative credentials on routers and using outdated and insecure firmware that contains exploitable security vulnerabilities.
The investigation into SocksEscort’s history and possible operators revealed that the service has been in operation since 2009. Early posts about the service on Russian cybercrime forums suggest that it is connected to a Moldovan company that also offers VPN software. The service initially operated under the name “super-socks.com” and sold access to thousands of compromised PCs for proxying traffic. The registration records for SocksEscort and other related domains indicate a possible connection to an individual or group using the pseudonyms “SSC” and “super-socks.”
The AVrecon malware being behind the SocksEscort service highlights the sophisticated infrastructure and operations cybercriminals employ to carry out their activities while evading detection. The discoveries made by researchers at Lumen’s Black Lotus Labs provide valuable insight into the tactics used by these cybercriminals and the ongoing battle to combat their malicious activities.