Researchers have closely monitored the Quad7 botnet (also referred to as the 7777 botnet), a notorious cybercriminal group observed to target various small office and home office (SOHO) routers and VPN appliances, including devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear.
The researchers state that they have discovered that the Quad7 botnet is just one component of a larger network of compromised devices, and five different login clusters were identified and linked to its operators, including the alogin, xlogin, axlogin, rlogin, and zylogin botnets.
Five Login Clusters Linked To Quad7 Botnet
The investigation by Sekoia’s TDR team identified five login clusters as being responsible for targeted compromise of various devices, including the TP-Link routers, Asus routers, Ruckus Wireless, and Zyxeland devices. After compromise, the botnet uses these infected devices to relay brute-force attacks on internet-exposed services such as VPN, telnet, and SSH services.
The Quad7 botnet is known for its capability to chain multiple vulnerabilities including previously unknown ones, making it challenging for researchers to track the botnet’s evolution. Additionally, the operators have also been introducing newer backdoors and exploring different protocols to enhance the stealthiness of attack operations and to evade tracking from security teams.
Each of these botnets target vulnerabilities in specific router and network appliance brands to gain access and deploy their malicious payloads:
- Alogin (aka 63256 botnet): This login cluster is a botnet composed of compromised Asus routers, which have both TCP ports 63256 and 63260 opened. The TELNET/63256 port is targeted to host a bind shell with root privileges, while the SOCKS/63260 port is used to host a password-protected Socks5 proxy.
- Xlogin: The Xlogin botnet is composed of compromised devices, with no specific vendor or model mentioned. The botnet is designed to remain under the radar and to avoid having a login interface on the compromised devices.
- Axlogin: Axlogin is a botnet cluster that targets Axentra NAS devices. The login interface is password-protected, and the botnet is designed to remain stealthy and evade detection. Axlogin is a recent addition to the Quad7 botnet’s arsenal.
- Rlogin: Rlogin is a botnet cluster that targets Ruckus Wireless devices. The botnet is designed to remain under the radar, with no login interface on the compromised devices.
- Zylogin: Zylogin is a botnet cluster that targets Zyxel VPN appliances. The login interface is password-protected, and the botnet is designed to remain stealthy and evade detection. Zylogin is another recent addition to the Quad7 botnet’s arsenal.
The team’s analysis has revealed that while the alogin and xlogin botnets are larger, with thousands of compromised devices, the rlogin botnet is smaller, with only 213 devices identified as of late August 2024.
Quad7 Operators Exploring Protocols and Techniques
In addition to the login botnets, the researcher team discovered three new HTTP-based reverse shell backdoors, which they have nicknamed the ‘UPDTAE’ backdoors. They believe these backdoors are being tested by the Quad7 operators in an effort to enhance their stealth and evade tracking capabilities.
The UPDTAE backdoors are statically linked with the libcurl library, and are used to transmit HTTP requests every 30 seconds with a User-Agent set to ‘IOT,’ with command-and-control (C2) communication only carried out through simple webpages. This approach allows the Quad7 operators to avoid using a login interface on the compromised routers, making it more difficult for security researchers to track the botnet’s evolution.
The investigation has also uncovered evidence that Quad7’s operators may be exploring new protocols and techniques to relay their attacks, potentially abandoning the use of open Socks proxies as in previous campaigns.
One such project, nicknamed ‘FsyNet,’ was discovered on a staging server controlled by the Quad7 operators. Rather than Socks protocol, FsyNet instead uses the KCP (Kcp) protocol, a Chinese library that implements a TCP-like protocol over UDP, to provide better latency but with higher bandwidth consumption. The FsyNet project was found to include three binaries (asr_node, node-r-control, and node-relay) that appear to be designed to handle the new protocol.
Additionally, the team found a shell script called ‘exec.sh’ that is used to target various vendors and network appliances, including Asus, D-Link, and Netgear. This script downloads and executes a binary named ‘netd,’ which may be another component of the Quad7 operators’ evolving toolkit.
The investigation into the Quad7 botnet and the discovery of additional login botnets, HTTP-based reverse shells, and the potential use and testing of alternative protocols like KCP reveals a concerning trend of continuous adaptation in tactics and tools by its operators to enhance stealth and effectiveness in their attack operations.
