Emerging Threat: Quad7 Botnet Targets SOHO Routers and VPN Appliances
The Quad7 botnet, an evolving cyber threat, has drawn attention recently as its operators compromise a variety of small office/home office (SOHO) routers and VPN appliances by exploiting both known and newly discovered security vulnerabilities. A report from French cybersecurity firm Sekoia reveals that the botnet specifically targets devices manufactured by TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR.
Researchers Felix Aimé, Pierre-Antoine D., and Charles M. noted that the Quad7 operators are enhancing their tools to include a new backdoor and are experimenting with different protocols. This evolution appears aimed at improving their stealth capabilities and evading detection by the operational relay boxes (ORBs) employed in their infrastructure. The botnet, also referred to as 7777, was first documented by independent researcher Gi7w0rm in October 2023. Gi7w0rm highlighted its strategy of ensnaring TP-Link routers and Dahua digital video recorders (DVRs).
The designation "Quad7" stems from its method of opening TCP port 7777 on compromised devices, which has enabled the botnet to carry out brute-force attacks against Microsoft 365 and Azure instances. Further analysis from VulnCheck indicated that Quad7 also targets systems such as MVPower, Zyxel NAS, and GitLab, albeit in smaller volumes. Notably, it operates a SOCKS5 server on TCP port 11228, expanding its capabilities for network routing.
Investigations by Sekoia and Team Cymru have uncovered that the Quad7 botnet has affected TP-Link routers in various countries, including Bulgaria, Russia, the United States, and Ukraine. Its range has now extended to include ASUS routers with TCP ports 63256 and 63260. The latest updates indicate that the botnet comprises additional clusters, including xlogin (compromised TP-Link devices), alogin (ASUS devices), rlogin (Ruckus Wireless devices), and others targeting specific appliances like Axentra NAS and Zyxel VPN devices.
According to Sekoia, the highest number of infections have been reported from Bulgaria, the United States, and Ukraine, underscoring the pervasive nature of this cyber threat. In a significant development, the operators have introduced a new backdoor, identified as UPDTAE, which creates an HTTP-based reverse shell for remote control of infected devices and executes commands from a command-and-control (C2) server.
While the precise motives behind the Quad7 botnet remain unclear, Sekoia suggests that its activities may be linked to a Chinese state-sponsored threat actor. Analysts emphasize the potential use of MITRE ATT&CK tactics within this operation, including initial access through brute-force attacks, persistence via newly introduced backdoors, and privilege escalation to maintain control over compromised devices.
The increasing sophistication of the Quad7 botnet exemplifies the ongoing challenges facing organizations in the cybersecurity landscape. As these attacks become more refined, businesses must remain vigilant and proactive in implementing security measures to protect against such threats. The risk of falling victim to such sophisticated cyber operations underscores the importance of continual assessment and improvement of cybersecurity protocols.
