The mysterious Quad7 botnet has evolved its tactics to compromise several brands of Wi-Fi routers and VPN appliances. It’s armed with new backdoors, multiple vulnerabilities, some of which were previously unknown, and new staging servers and clusters, according to a report by Sekoia, a cybersecurity firm.
Cybersecurity researchers discovered the botnet using new staging servers, which led to botnet clusters, targets, and malicious implants.
“The Quad7 botnet operators seem to be compromising several brands of SOHO routers and VPN appliances, including TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear, using multiple vulnerabilities – some of which are previously unknown,” Sekoia TDR team warns.
The improved toolset includes new backdoors and new protocols that enhance stealth. The Botnet’s activities could be nearly impossible to track in the near future.
On July 23rd, researchers reported on thousands of compromised TP-Link routers participating in the Quad7, also known as the 7777 botnet.
Since then, more botnet clusters have been unveiled and associated with the same group. At least five different clusters have been linked to the threat actor:
- xlogin botnet, composed of compromised TP-Link routers that have both TCP ports TELNET/7777 and 11288 open.
- rlogin botnet, targeting Ruckus Wireless devices with exposed TCP port TELNET/63210.
- alogin botnet, composed of compromised Asus routers that have both TCP ports 63256 and 63260 open.
- axlogin botnet, which appears to be deployed on Axentra NAS. It’s unclear which port may be targeted as the obtained malware sample was not observed in the wild.
- zlogin botnet, deployed on Zyxel VPN appliances, listening to the port TELNET/3256
Thousands of compromised Asus and TP-Link devices included the corresponding botnets, while the rlogin botnet had only 213 devices and zlogin only 8 Zyxel VPN devices.
The botnet with TP-Link routers was in decline recently, while researchers observed increasing activity of compromised Asus routers.
At least 21 malware samples were obtained, demonstrating a significant evolution in the gang’s tactics, oriented toward staying under the radar.
Three new backdoors, two affecting Asus routers and one affecting Axentra NAS, were named “UPDTAE” due to a typo in their code. They enable attackers to remotely control the compromised devices. Quad7 operators seem to be testing their new malware prior to deployment: “The code is poorly designed with several mistakes and remains very simple.”
However, HTTP-based shell communications enhance stealth and prevent security researchers from tracking the botnet’s evolution through internet scanning engines.
According to a report, researchers discovered an ASUS folder on the attackers' server containing malware used against various vendors and network appliances, including Asus, D-LINK DIR-610, and Netgear R7000.
One other discovered bash file was aimed to set up firewall rules and launch three other malicious binaries against Ruckus appliances.
Cybercriminals often target Wi-Fi routers due to their accessibility, vulnerabilities, and potential use in anonymous and distributed attacks.
“With many compromised devices spread across various regions, malicious actors can conceal their operations and launch attacks with minimal risk of exposure. The Quad7 operators have particularly demonstrated how these compromised devices can be exploited for tasks such as relaying brute-force attacks,” researchers said.
In their report, Sekoia shared indicators of compromise, such as malicious IP addresses, hashes of malware, and other information.
Your email address will not be published. Required fields are markedmarked