SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.avrecon (Back to overview)

AVrecon

AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.

References
2023-07-27X (@BlackLotusLabs)Black Lotus Labs
@online{labs:20230727:update:67b9dd6, author = {Black Lotus Labs}, title = {{Tweet on update on AVrecon bot's migration to new infrastructure}}, date = {2023-07-27}, organization = {X (@BlackLotusLabs)}, url = {https://twitter.com/BlackLotusLabs/status/1684290046235484160}, language = {English}, urldate = {2023-07-31} } Tweet on update on AVrecon bot's migration to new infrastructure
AVrecon
2023-07-26SPURRiley Kilmer
@online{kilmer:20230726:christmas:5221879, author = {Riley Kilmer}, title = {{Christmas in July: A finely wrapped Malware Proxy Service}}, date = {2023-07-26}, organization = {SPUR}, url = {https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/}, language = {English}, urldate = {2023-07-31} } Christmas in July: A finely wrapped Malware Proxy Service
AVrecon
2023-07-25KrebsOnSecurityBrian Krebs
@online{krebs:20230725:who:55175fa, author = {Brian Krebs}, title = {{Who and What is Behind the Malware Proxy Service SocksEscort?}}, date = {2023-07-25}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/}, language = {English}, urldate = {2023-07-31} } Who and What is Behind the Malware Proxy Service SocksEscort?
AVrecon
2023-07-12LumenBlack Lotus Labs
@online{labs:20230712:routers:e2ed598, author = {Black Lotus Labs}, title = {{Routers From The Underground: Exposing AVrecon}}, date = {2023-07-12}, organization = {Lumen}, url = {https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/}, language = {English}, urldate = {2023-07-21} } Routers From The Underground: Exposing AVrecon
AVrecon

There is no Yara-Signature yet.