Quad7 botnet targets more SOHO and VPN routers, media servers

Summary: The Quad7 botnet is evolving its operations by targeting additional SOHO devices with custom malware, including Zyxel VPN appliances and Ruckus wireless routers, while employing new tactics for stealthier attacks. Recent reports indicate that the botnet is transitioning to more evasive technologies and communication methods, making it a significant threat to various devices.

Threat Actor: Quad7 Botnet | Quad7
Victim: SOHO Devices | SOHO Devices

Key Point :

  • Quad7 is targeting new devices, including Zyxel and Ruckus, with specific subclusters for each device type.
  • The botnet is evolving its communication methods, moving away from SOCKS proxies to the KCP protocol and employing new backdoors for stealthier operations.
  • Operators are experimenting with new binaries and protocols to enhance detection evasion and operational effectiveness.
  • Mitigation strategies include updating firmware, changing default credentials, and upgrading unsupported devices.

7777

The Quad7 botnet is evolving its operation by targeting additional SOHO devices with new custom malware for Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers.

This comes in addition to the TP-Link routers reported previously by Sekoia, and first reported by researcher Gi7w0rm, who gave the botnet its name due to targeting port 7777. Also, the ASUS routers targeted by a separate cluster discovered by Team Cymru two weeks later.

Sekoia has compiled a new report warning about the evolution of Quad7, which includes setting up new staging servers, launching new botnet clusters, employing new backdoors and reverse shells, and moving away from SOCKS proxies for a stealthier operation.

The continued evolution of the botnet shows that its creators were not deterred by the mistakes exposed by cybersecurity analysis and are now transitioning to more evasive technologies.

Quad7’s operational goal remains murky, possibly for launching distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.

New clusters target Zyxel and Ruckus

The Quad7 botnet comprises several subclusters identified as variants of *login, with each of them targeting specific devices and displaying a different welcome banner when connecting to the Telnet port.

For example, the Telnet welcome banner on Ruckus wireless devices is ‘rlogin,’ as illustrated by the Censys result below.

Infected Ruckus device found on Censys
Infected Ruckus device found on Censys
Source: BleepingComputer

The complete list of malicious clusters and their welcome banners are:

  • xlogin – Telnet bound to TCP port 7777 on TP-Link routers
  • alogin – Telnet bound to TCP port 63256 on ASUS routers
  • rlogin – Telnet bound to TCP port 63210 on Ruckus wireless devices.
  • axlogin – Telnet banner on Axentra NAS devices (port unknown as not seen in the wild)
  • zylogin – Telnet bound to TCP port 3256 on Zyxel VPN appliances

Some of these large clusters, like ‘xlogin’ and ‘alogin’, compromise several thousand devices.

Others, like ‘rlogin,’ which started around June 2024, only count 298 infections as of this publication. The ‘zylogin’ cluster is also very small, with only two devices. The axlogin cluster does not show any active infections at this time.

Still, these emerging subclusters could spring out of their experimental phase or incorporate new vulnerabilities that target more widely exposed models, so the threat remains significant.

Quad7's subclusters
Quad7’s subclusters
Source: Sekoia

Evolution in communication and tactics

Sekoia’s latest findings show that the Quad7 botnet has evolved significantly in its communication methods and tactics, focusing on detection evasion and better operational effectiveness.

First, the open SOCKS proxies, in which the botnet relied heavily on previous versions for relaying malicious traffic, such as brute-forcing attempts, are being phased out.

Instead, Quad7 operators now utilize the KCP communication protocol to relay attacks via a new tool, ‘ FsyNet,’ that communicates over UDP, making detecting and tracking much harder.

FsyNet's communication decryption process
FsyNet’s communication decryption process
Source: Sekoia

Also, the threat actors now utilize a new backdoor named ‘UPDTAE’ that establishes HTTP reverse shells for remote control on the infected devices.

This allows the operators to control the devices without exposing login interfaces and leaving ports open that are easily discoverable via internet scans, like Censys.

Reverse shell communications
Reverse shell communication
Source: Sekoia

There’s also experimentation with a new ‘netd’ binary that uses the darknet-like protocol CJD route2, so an even stealthier communication mechanism is likely in the works.

To mitigate the risk of botnet infections, apply your model’s latest firmware security update, change the default admin credentials with a strong password, and disable web admin portals if not needed.

If your device is no longer supported, you are strongly advised to upgrade to a newer model that continues to receive security updates.

Source: https://www.bleepingcomputer.com/news/security/quad7-botnet-targets-more-soho-and-vpn-routers-media-servers