logo

Quad7 botnet targets more SOHO and VPN routers, media servers

7777

The Quad7 botnet is evolving its operation by targeting additional SOHO devices with new custom malware for Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers.

This comes in addition to the TP-Link routers reported initially by Sekoia, from where the botnet got its name due to targeting port 7777, and also the ASUS routers targeted by a separate cluster discovered by Team Cymru two weeks later.

Sekoia has compiled a new report warning about the evolution of Quad7, which includes setting up new staging servers, launching new botnet clusters, employing new backdoors and reverse shells, and moving away from SOCKS proxies for a stealthier operation.

The continued evolution of the botnet shows that its creators were not deterred by the mistakes exposed by cybersecurity analysis and are now transitioning to more evasive technologies.

Quad7's operational goal remains murky, possibly for launching distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.

New clusters target Zyxel and Ruckus

The Quad7 botnet comprises several subclusters identified as variants of *login, with each of them targeting specific devices and displaying a different welcome banner when connecting to the Telnet port.

For example, the Telnet welcome banner on Ruckus wireless devices is 'rlogin,' as illustrated by the Censys result below.

Infected Ruckus device found on Censys
Infected Ruckus device found on CensysSource: BleepingComputer

The complete list of malicious clusters and their welcome banners are:

  • xlogin – Telnet bound to TCP port 7777 on TP-Link routers
  • alogin – Telnet bound to TCP port 63256 on ASUS routers
  • rlogin – Telnet bound to TCP port 63210 on Ruckus wireless devices.
  • axlogin – Telnet banner on Axentra NAS devices (Porn unknown as not seen in the wild)
  • zylogin – Telnet bound to TCP port 3256 on Zyxel VPN appliances

Some of these large clusters, like 'xlogin' and 'alogin', compromise several thousand devices.

Others, like 'rlogin,' which started around June 2024, only count 298 infections as of this publication. The 'zylogin' cluster is also very small, with only two devices. The axlogin cluster does not show any active infections at this time.

Still, these emerging subclusters could spring out of their experimental phase or incorporate new vulnerabilities that target more widely exposed models, so the threat remains significant.

Quad7's subclusters
Quad7's subclustersSource: Sekoia

Evolution in communication and tactics

Sekoia's latest findings show that the Quad7 botnet has evolved significantly in its communication methods and tactics, focusing on detection evasion and better operational effectiveness.

First, the open SOCKS proxies, in which the botnet relied heavily on previous versions for relaying malicious traffic, such as brute-forcing attempts, are being phased out.

Instead, Quad7 operators now utilize the KCP communication protocol to relay attacks via a new tool, ' FsyNet,' that communicates over UDP, making detecting and tracking much harder.

FsyNet's communication decryption process
FsyNet's communication decryption processSource: Sekoia

Also, the threat actors now utilize a new backdoor named 'UPDTAE' that establishes HTTP reverse shells for remote control on the infected devices.

This allows the operators to control the devices without exposing login interfaces and leaving ports open that are easily discoverable via internet scans, like Censys.

Reverse shell communications
Reverse shell communicationSource: Sekoia

There's also experimentation with a new 'netd' binary that uses the darknet-like protocol CJD route2, so an even stealthier communication mechanism is likely in the works.

To mitigate the risk of botnet infections, apply your model's latest firmware security update, change the default admin credentials with a strong password, and disable web admin portals if not needed.

If your device is no longer supported, you are strongly advised to upgrade to a newer model that continues to receive security updates.


Free security scan for your website