Quad7 Botnet Extension to Target Small Office Home Office Routers and VPN Appliances
The handlers of the enigmatic Quad7 botnet are actively expanding by breaching multiple makes of SOHO routers and VPN appliances through utilizing a combination of both identified and unidentified security vulnerabilities.
Targets comprise devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, as per a fresh report by French cybersecurity firm Sekoia.
“The Quad7 botnet handlers seem to be improving their toolset, introducing a new entrance and exploring new protocols, with the aim of improving stealth and avoiding the tracking capabilities of their operational relay boxes (ORBs),” researchers Felix Aimé, Pierre-Antoine D., and Charles M. expressed.
Quad7, also known as 7777, was initially publicly reported by independent researcher Gi7w0rm in October 2023, spotlighting the activity cluster’s trend of entrapping TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.
The botnet, deriving its name from the fact it unlocks TCP port 7777 on compromised devices, has been sighted performing brute-force attacks on Microsoft 3665 and Azure instances.
“The botnet also seems to infect other systems such as MVPower, Zyxel NAS, and GitLab, albeit at a very small scale,” VulnCheck’s Jacob Baines observed earlier this January. “The botnet doesn’t just initiate a service on port 7777. It additionally sets up a SOCKS5 server on port 11228.”
Subsequent evaluations by Sekoia and Team Cymru during the last few months have disclosed that not only has the botnet breached TP-Link routers in Bulgaria, Russia, the U.S., and Ukraine, but has also broadened its scope to target ASUS routers with TCP ports 63256 and 63260 accessible.
The most recent findings reveal that the botnet consists of three additional clusters –
- xlogin (also known as 7777 botnet) – A botnet made up of compromised TP-Link routers that have both TCP ports 7777 and 11288 open
- alogin (also known as 63256 botnet) – A botnet comprised of compromised ASUS routers that have both TCP ports 63256 and 63260 open
- rlogin – A botnet constituted of compromised Ruckus Wireless devices that have TCP port 63210 open
- axlogin – A botnet capable of targeting Axentra NAS devices (yet to be detected in the wild)
- zylogin – A botnet consisting of compromised Zyxel VPN appliances that have TCP port 3256 open
Sekoia informed The Hacker News that the countries with the highest number of infections are Bulgaria (1,093), the U.S. (733), and Ukraine (697).
In a further demonstration of strategic evolution, the threat actors now employ a novel entrance called UPDTAE that establishes an HTTP-based reverse shell to achieve remote control on the infected devices and execute commands dispatched from a command-and-control (C2) server.
The precise purpose of the botnet or its orchestrators is currently unclear, but the firm suggested the activity is probably the handiwork of a Chinese state-sponsored threat actor.
“Regarding the 7777 [botnet], we only witnessed brute-force attempts against Microsoft 365 accounts,” Aimé shared with the publication. “For the other botnets, we’re still uncertain about their utilization.”
“Nonetheless, following discussions with other researchers and fresh discoveries, we are nearly convinced that the orchestrators are more plausibly CN state-sponsored rather than mere cybercriminals engaging in [business email compromise].”
“We’re noticing the threat actor striving to be more discreet by employing new malwares on the compromised edge devices. The primary motive behind that maneuver is to thwart tracking of the associated botnets.”
About Author
