AVrecon is a modular router-targeting malware that scans for exposed services and exploits RCE, command injection, and SOAP flaws to convert home and SOHO routers into proxy nodes. Law enforcement linked AVrecon to the SocksEscort residential proxy service, which sold access to roughly 369,000 compromised devices used for banking fraud, ad fraud, password attacks, and other scams. #AVrecon #SocksEscort
Keypoints
- AVrecon spreads by scanning for exposed services and exploiting RCE, command injection, and SOAP vulnerabilities.
- Its modular C2 framework allows new exploit modules and targeted about 1,200 device models from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel.
- Infected routers were converted into SOCKS proxy nodes sold via SocksEscort, enabling banking fraud, ad fraud, password spraying, and marketplace scams.
- Attackers achieved persistence on some devices by flashing malicious firmware that disables updates and makes factory reset ineffective.
- Defenders should apply firmware updates or replace EOL devices, disable remote administration, change default passwords, and monitor for C2 domains and filenames like “x” and “dnssmasq”.
Read More: https://thecyberexpress.com/fbi-warns-of-avrecon-malware/