Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances

The operators of the mysterious Quad7 botnet are actively developing by compromising numerous manufacturers of SOHO routers and VPN gadgets by utilizing a mix of both known and undiscovered security weaknesses.

Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a recent analysis by French cybersecurity firm Sekoia.

"The Quad7 botnet operators appear to be evolving their toolset, introducing a new backdoor and exploring new protocols, with the aim of enhancing stealth and evading the tracking capabilities of their operational relay boxes (ORBs)," researchers Felix objectiveé, Pierre-Antoine D., and Charles M. noted.

Quad7, also nicknamed 7777, was first publicly recorded by independent researcher Gi7w0rm in October 2023, exposing the activity cluster's behavior of ensnaring TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.

The botnet, which derives its name from the fact it opens TCP port 7777 on infected computers, has been detected brute-forcing Microsoft 3665 and Azure instances.

"The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume," VulnCheck's Jacob Baines wrote earlier this January. "The botnet doesn't only establish a service on port 7777. It also starts up a SOCKS5 server on port 11228."

Subsequent analysis by Sekoia and Team Cymru over the last two months have discovered that not only the botnet has infected TP-Link routers in Bulgaria, Russia, the U.S., and Ukraine, but has recently also extended to target ASUS routers that have TCP ports 63256 and 63260 accessible.

The newest discoveries suggest that the botnet is composed of three more clusters -

xlogin (aka 7777 botnet) - A botnet built of hacked TP-Link routers which have both TCP ports 7777 and 11288 opened

alogin (aka 63256 botnet) - A botnet made of exploited ASUS routers which have both TCP ports 63256 and 63260 opened rlogin - A botnet composed of compromised Ruckus Wireless devices which have TCP port 63210 opened

axlogin - A botnet capable of attacking Axentra NAS equipment (not spotted in the field as yet)

zylogin - A botnet built of hacked Zyxel VPN equipment that have TCP port 3256 opened

Sekoia informed The Hacker News that the nations with the largest number of infections include Bulgaria (1,093), the U.S. (733), and Ukraine (697).

In a further indicator of tactical innovation, the threat actors now deploy a new backdoor named UPDTAE that builds an HTTP-based reverse shell to establish remote control on the infected devices and execute orders provided from a command-and-control (C2) server.

It's presently not obvious what the actual objective of the botnet is or who is behind it, but the business stated the behavior is likely the work of a Chinese state-sponsored threat actor.

"Regarding the 7777 [botnet], we only saw brute-force attempts against Microsoft 365 accounts," Aimé told the magazine. "For the other botnets, we still don't know how they are used."

"However, after exchanges with other researchers and new findings, we are almost certain that the operators are more likely CN state-sponsored rather than simple cybercriminals doing [business email compromise]."

"We are witnessing the threat actor striving to be more sneaky by employing new malwares on the hacked edge devices. The major purpose behind the change is to hinder monitoring of the associated botnets."