Researchers have discovered a previously unknown Linux-based Trojan called AVrecon that turns Internet routers into a botnet to carry out password-spraying attacks and ad fraud. It has now been revealed that AVrecon is also responsible for running a 12-year-old service called SocksEscort, which rents hacked devices to cybercriminals seeking to hide their online location. AVrecon creates a residential proxy service that allows cybercriminals to mask their malicious activity. This type of proxy service is commonly abused by cybercriminals because it makes it difficult to trace the source of malicious traffic. AVrecon aims to steal bandwidth in order to maintain its proxy service and avoid detection. SocksEscort requires customers to install a Windows-based application in order to access its pool of hacked devices. Researchers have been unable to determine how SOHO devices are being infected with AVrecon, but possible methods include exploiting weak or default router credentials and outdated firmware with known vulnerabilities.
https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/