The operators of the mysterious Quad7 botnet thrive by hacking several brands of SOHO routers and VPN devices using a combination of known and unknown security flaws.
According to a new report from French cybersecurity company Sekoia, devices from TP-LINK, Zyxel, Asus, Axentra, D-Link and NETGEAR are the targets.
“Quad7 botnet operators appear to be evolving their toolkit by introducing new backdoors and exploring new protocols to improve stealth and evade the tracking capabilities of their Operational Relay Blocks (ORBs),” researchers Felix Hame, Pierre-Antoine D. . , and Charles M. said.
Quad7, also called 7777, was publicly documented for the first time by independent researcher Gi7w0rm in October 2023, which highlights a cluster pattern of activities combining TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.
The botnet, which got its name from the fact that it opens TCP port 7777 on compromised devices, was spotted brute-forcing Microsoft 3665 and Azure instances.
“The botnet also appears to be infecting other systems such as MVPower, Zyxel NAS, and GitLab, albeit at a very low volume,” – VulnCheck’s Jacob Baines. noted earlier this January. “The botnet doesn’t just run a service on port 7777. It also runs a SOCKS5 server on port 11228.”
The following analyses Sekoia and Team Cymru discovered over the past few months that the botnet not only compromised TP-Link routers in Bulgaria, Russia, the US and Ukraine, but has since spread to ASUS routers that have TCP ports 63256 and 63260 open.
Recent findings show that the botnet consists of three additional clusters –
- xlogin (aka the 7777 botnet) is a botnet consisting of hacked TP-Link routers with TCP ports 7777 and 11288 open
- alogin (aka botnet 63256) is a botnet consisting of jailbroken ASUS routers with TCP ports 63256 and 63260 open
- rlogin is a botnet consisting of compromised Ruckus Wireless devices that have TCP port 63210 open
- axlogin – botnet capable of targeting Axentra NAS devices (not yet detected in the wild)
- zylogin is a botnet consisting of compromised Zyxel VPN devices that have TCP port 3256 open
Sekoia told The Hacker News that the countries with the most infections are Bulgaria (1,093), the United States (733) and Ukraine (697).
Another sign of tactical evolution is that threat actors are now using a new backdoor called UPDTAE, which installs an HTTP-based back-shell to remotely control infected devices and execute commands sent from the Command and Control (C2) server.
At this time, it is unclear what the exact purpose of the botnet is or who is behind it, but the company said the activity is likely the handiwork of a Chinese state threat actor.
“Regarding 7777 (the botnet), we’ve only seen brute force attempts against Microsoft 365 accounts,” Emme told the publication. “As for other botnets, we still don’t know how they’re being used.”
“However, after discussions with other researchers and new discoveries, we are almost certain that the CN operators are more likely to be government-sponsored than simple cybercriminals (compromising business emails).”
“We see the threat actor trying to be more stealthy by using new malware on compromised edge devices. The main purpose of this step is to prevent the tracking of affiliated botnets.”
