The operators of the mysterious Quad7 botnet continue to aggressively evolve, using a combination of known and unknown security flaws to compromise multiple brands of SOHO routers and VPN appliances.
According to a new report from French cybersecurity firm Sekoia, targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link and NETGEAR.
“The operators of the Quad7 botnet appear to be evolving their toolset, deploying new backdoors, and exploring new protocols with the aim of increasing stealth and evading the tracking capabilities of their Operational Relay Boxes (ORBs),” researchers Felix Aimé, Pierre-Antoine D. and Charles M. said.
Quad7 (aka 7777) was first disclosed publicly in October 2023 by independent researcher Gi7w0rm, who highlighted a pattern of activity clusters trapping TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.
The botnet, so named because it opens TCP port 7777 on compromised devices, has been observed conducting brute force attacks against Microsoft 3665 and Azure instances.
“This botnet also appears to have infected other systems, including MVPower, Zyxel NAS, and GitLab, but in very small volumes,” VulnCheck’s Jacob Baines noted in early January. “Not only does this botnet start a service on port 7777, it also starts a SOCKS5 server on port 11228.”
Subsequent analysis by Sekoia and Team Cymru over the past few months has revealed that the botnet has not only compromised TP-Link routers in Bulgaria, Russia, the US and Ukraine, but has also expanded to target ASUS routers that have TCP ports 63256 and 63260 open.
The latest findings reveal that the botnet is made up of three additional clusters:
- xlogin (aka 7777 Botnet) – A botnet made up of compromised TP-Link routers with both TCP ports 7777 and 11288 open.
- alogin (aka 63256 Botnet) – A botnet consisting of compromised ASUS routers with both TCP ports 63256 and 63260 open.
- rlogin – A botnet consisting of compromised Ruckus Wireless devices with TCP port 63210 open.
- axlogin – Botnet capable of targeting Axentra NAS devices (currently undetected)
- zylogin – A botnet consisting of compromised Zyxel VPN appliances with TCP port 3256 open
Sequoia told Hacker News that the countries with the highest number of cases are Bulgaria (1,093 cases), the United States (733 cases) and Ukraine (697 cases).
In a further sign of evolving tactics, the threat actors are now utilizing a new backdoor, called UPDTAE, which establishes an HTTP-based reverse shell to remotely control infected devices and execute commands sent from a command and control (C2) server.
At this time, it is unclear what the exact purpose of the botnet is or who is behind it, but the company said the activity is likely the work of Chinese government-backed threat actors.
“With regards to 7777 (botnet), we have only seen brute force attacks against Microsoft 365 accounts,” Ame told the publication. “As for the other botnets, we don’t yet know how they are being used.”
“However, after consulting with other researchers and making new discoveries, we are fairly certain that this attacker is not simply a cybercriminal, but is likely sponsored by the Chinese government.” (Business Email Compromise)
“We are seeing threat actors attempting to become more stealthy by using new malware on compromised edge devices. The main objective behind this move is to prevent the tracing of associated botnets.”