Evolving Quad7 Botnet Exploits SOHO Routers and VPN Devices, Researchers Warn

SOHO Routers and VPN Devices, Researchers Warn | CyberPro Magazine

(Source-thehackernews.com)

The operators behind the Quad7 botnet are rapidly advancing their techniques, targeting various brands of SOHO routers and VPN appliances by exploiting both known and undiscovered security vulnerabilities. French cybersecurity company Sekoia recently reported that devices from well-known manufacturers like TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR have been compromised by this increasingly sophisticated botnet.

Expansion and Toolset Evolution

According to Sekoia researchers Felix Aimé, Pierre-Antoine D., and Charles M., the Quad7 botnet operators are not only expanding their target base but also evolving their tactics. The team observed the introduction of a new backdoor and the use of advanced protocols, likely aimed at enhancing stealth and evading detection from operational relay boxes (ORBs) that track botnet activity.

First identified by independent researcher Gi7w0rm in October 2023, the Quad7 botnet, also known as 7777, initially focused on infiltrating TP-Link SOHO routers and Dahua digital video recorders (DVRs). The botnet takes its name from its practice of opening TCP port 7777 on infected devices. Since its discovery, the botnet has expanded its scope, with reports noting that it is also targeting Microsoft 365 and Azure instances through brute-force methods.

In an analysis earlier this year, VulnCheck’s Jacob Baines highlighted the botnet’s ability to infect other systems like Zyxel NAS and GitLab, though these attacks are observed in low volumes. Baines also pointed out that the botnet does more than just open port 7777; it also initiates a SOCKS5 server on port 11228, further enhancing its operational complexity.

Global Spread and Tactical Developments

Sekoia’s research, supported by insights from Team Cymru, revealed that the Quad7 botnet has successfully compromised TP-Link SOHO routers across Bulgaria, Russia, the U.S., and Ukraine. More recently, it has expanded to target SOHO routers, which have specific TCP ports (63256 and 63260) opened. The botnet now consists of multiple clusters, each targeting different device types. These clusters include:

  • xlogin (7777 botnet): Targets TP-Link routers with TCP ports 7777 and 11288 opened.
  • alogin (63256 botnet): Targets ASUS routers with TCP ports 63256 and 63260 opened.
  • rlogin: Focuses on Ruckus Wireless devices with TCP port 63210 opened.
  • axlogin: Capable of attacking Axentra NAS devices, although no real-world instances have been detected.
  • zylogin: Targets Zyxel VPN appliances with TCP port 3256 opened.

The majority of the infections have been recorded in Bulgaria (1,093 cases), the U.S. (733 cases), and Ukraine (697 cases), according to Sekoia’s data.

Further evidence of the botnet’s tactical evolution includes the deployment of a new backdoor dubbed UPDTAE. This backdoor establishes an HTTP-based reverse shell, allowing the attackers to remotely control infected devices through a command-and-control (C2) server. This development signals the increasing sophistication of the botnet’s operations.

Unclear Motives but Strong Suspicions

While the exact motive behind the Quad7 botnet remains unclear, Sekoia suspects that a state-sponsored Chinese group is responsible for the activity. According to Aimé, only brute-force attempts against Microsoft 365 accounts have been directly observed in connection with the 7777 botnet. However, the other botnets within the network remain a mystery in terms of their purpose and use.

The researchers believe that the botnet’s operators are taking steps to increase stealth by deploying new malware on compromised devices, reducing the chances of their botnets being tracked. Though there are no definitive conclusions yet, collaboration with other researchers has led Sekoia to strongly suspect that the Quad7 operators are more likely state-sponsored actors than common cybercriminals.

The ongoing evolution of the Quad7 botnet signals a worrying trend in cybersecurity, as threat actors continue to refine their methods and expand their reach. Cybersecurity professionals are closely monitoring the situation as the botnet evolves further, posing new challenges to the security of SOHO routers and VPN appliances globally.

LinkedIn
Twitter
Facebook
Reddit
Pinterest