Overview of the Quad7 Botnet

The Quad7 botnet, also known as 7777, has recently been gaining attention due to its ongoing and evolving attacks on a variety of Small Office Home Office (SOHO) routers and VPN appliances. The operators behind this botnet are frequently altering their tactics by exploiting both known and previously unidentified security vulnerabilities to gain control of these devices.

You might be interested in: Google Pixel Devices Shipped with Security Flaw

A recent investigation by the French cybersecurity company Sekoia revealed that routers and VPNs from major manufacturers such as TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR are being specifically targeted. The report suggests that the hackers are continually refining their tools, adding a new backdoor and testing out different protocols to avoid detection and stay hidden from cybersecurity tracking tools.

How the Quad7 Botnet Operates

The botnet, which was first publicly reported by independent researcher Gi7w0rm in October 2023, works by hijacking devices like TP-Link routers and Dahua digital video recorders (DVRs). Once compromised, these devices become part of the botnet, enabling the attackers to use them for further malicious activities.

According to cybersecurity experts Felix Aimé, Pierre-Antoine D., and Charles M., the Quad7 operators are now using a new backdoor to increase stealth, making their operations harder to trace. The botnet’s name comes from its use of TCP port 7777, which is opened on hacked devices.

Expanding Reach and Targets

Though initially focused on TP-Link routers and Microsoft 365 brute-force attacks, the botnet has since branched out to other targets. In a January update, Jacob Baines from VulnCheck shared that Quad7 has also infected systems like MVPower, Zyxel NAS, and GitLab, though these instances are rarer. Aside from opening port 7777, the botnet also installs a SOCKS5 proxy on port 11228, which provides a way for attackers to route malicious traffic.

Recent reports from Sekoia and Team Cymru show the botnet has spread to other regions, including Bulgaria, Russia, the U.S., and Ukraine. Furthermore, ASUS routers with open TCP ports 63256 and 63260 have become new targets.

Breakdown of the Quad7 Botnet Groups

The botnet seems to be divided into several groups, each with its specific set of hacked devices:

• xlogin (7777 botnet): Involves TP-Link routers that have ports 7777 and 11288 open.
• alogin (63256 botnet): Affects ASUS routers with ports 63256 and 63260 open.
• rlogin: Targets Ruckus Wireless devices with port 63210 open.
• axlogin: Known to attack Axentra NAS devices, though it has yet to be seen in live attacks.
• zylogin: Involves hacked Zyxel VPN devices using port 3256.

Countries most affected by the botnet include Bulgaria (1,093 cases), the U.S. (733 cases), and Ukraine (697 cases).

New Threats and Backdoor Development

The threat actors behind Quad7 have also introduced a new backdoor tool called UPDTAE, which creates an HTTP-based reverse shell. This backdoor allows the attackers to take control of compromised devices remotely by sending commands from a command-and-control (C2) server. This indicates a significant shift in their strategy, aiming to make their operations more covert.

Possible State-Sponsored Attackers

Although it remains unclear what the exact goals of the Quad7 botnet are, Sekoia’s team believes it’s likely the work of a Chinese state-sponsored group. The botnet’s operators appear to be more sophisticated than typical cybercriminals, showing advanced techniques designed to evade detection and remain operational for long periods.

Felix Aimé, one of the lead researchers on the project, noted, “So far, we’ve only observed brute-force attacks targeting Microsoft 365 accounts with the 7777 botnet. We haven’t yet figured out how the other botnets are being used, but we believe they are connected to a state-sponsored group.”

Conclusion

As the Quad7 botnet continues to evolve, it presents an increasing risk to SOHO routers and VPN devices. The attackers are clearly becoming more advanced, making it difficult for cybersecurity teams to track and stop them. Businesses and individuals using affected devices are urged to ensure their firmware is up-to-date and to apply any available security patches to reduce the risk of falling victim to this botnet.