The Quad7 botnet [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as the 7777 or xlogin botnet [6], has evolved to target a wider range of devices beyond TP-Link routers, including Zyxel VPN appliances [3] [4] [5] [8] [9], Ruckus wireless routers [2] [4] [5] [7] [8] [9], and Axentra media servers [2] [4] [5] [8]. Recent observations indicate a shift in tactics by the operators to evade detection and complicate attribution efforts.

Description

The Quad7 botnet [1] [2] [3] [4] [5] [6] [7] [8] [9], previously focused on TP-Link routers, now utilizes backdoors with HTTP reverse shells and the KCP communications protocol over UDP to control a tool called “FysNet.” Infected devices may carry a netd binary to convert the device into a relay node [7], with randomized listening ports for evasion [7]. The operators target Microsoft 365 accounts through password-spraying techniques and launch distributed brute-force attacks on VPNs, Telnet [4] [8], SSH [4] [8], and Microsoft 365 accounts [4] [6] [8]. A new backdoor named ‘UPDTAE’ has been developed for remote control of infected devices, with a shift to using the KCP protocol for communication [8].

Conclusion

To protect against the Quad7 botnet, it is recommended to implement firmware security updates and strong passwords on SOHO devices [9]. The botnet’s expansion to target VPN routers and media servers poses a significant threat, with potential future exploits of security flaws. The persistence and advanced techniques of the botnet operators suggest a possible state-sponsored origin, highlighting the need for continued vigilance and proactive cybersecurity measures.

References

[1] https://rhyno.io/blogs/cybersecurity-news/quad7-botnet-targets-more-routers-and-vpns/
[2] https://www.techradar.com/pro/security/quad7-botnet-expands-adding-soho-and-vpn-routers-media-servers
[3] https://thehackernews.com/2024/09/quad7-botnet-expands-to-target-soho.html
[4] https://greatis.com/unhackme/help/news/new-quad7-botnet-opeartion-targeting-vpn-routers-and-media-servers.htm
[5] https://cybermaterial.com/quad7-botnet-expands-targets-to-soho-devices/
[6] https://cybersecuritynews.com/quad7-botnet-compromises-routers-vpns/
[7] https://www.databreachtoday.com/quad7-botnet-operators-expand-targets-aim-for-stealth-a-26251
[8] https://securityaffairs.com/168250/malware/quad7-botnet-evolves.html
[9] https://www.scmagazine.com/brief/quad7-botnet-operation-expands-targeting-infrastructure