Network Firewalls, Network Access Control , Security Operations

Quad7 Botnet Operators Expand Targets, Aim for Stealth

VPN Endpoints, Wireless Routers and Network-Attached Storage Devices Are Targets
Quad7 Botnet Operators Expand Targets, Aim for Stealth
Operators of the Quad7 botnet want to expand. (Image: Shutterstock)

Operators behind a mysterious botnet named for a TCP routing port number are expanding the universe of targeted devices and taking steps to hide their infrastructure, warn Sekoia researchers.

See Also: Webinar | Minimizing the Attack Surface Through Zero Trust Network Access

The 7777 - or Quad7 - botnet appears to have emerged in 2023 and was primarily composed of hacked TP-Link routers. Sekoia on Monday said botnet operators seem to be compromising Zyxel VPN endpoints, Ruckus wireless routers and Axentra network-attached storage devices.

Researchers also track the botnet as "xlogin," since infected devices display a version of xlogin: banners, with variants corresponding to infected devices. The axlogin appears to be deployed on Axentra media servers, while rlogin is tied to Ruckus wireless routers. Sekoia said it recently observed a decline in the xlogin botnet that consists mostly of TP-Link routers.

Publicity generated by mounting researcher attention is apparently nudging operators into taking steps to hide their infrastructure. The hackers might also have decided that exposing a login interface on compromised routers is tantamount to letting other hackers take control of their bots. The researchers found evidence of backdoors acting as HTTP reverse shells beaconing back to a command-and-control server every 30 seconds. Still, the backdoor code "is poorly designed with several mistakes and remains very simple," Sekoia said.

Reverse shells aren't the only obfuscation technique Quad7 operators have embraced. They also now use the KCP communications protocol over UDP to control a tool dubbed "FysNet." Operators' adoption of KCP could indicate a shift from using simple open SOCKS proxies - making it harder for internet scanning engines and security researchers to track Quad7 bots.

Infected ASUS, De-Link and Netgear networking appliances also now may carry a netd binary whose purpose appears to be converting the device into an operational relay box relay node. Unfortunately for cyber defenders, the binary's listening port is randomized for each infected device, "making wide-scale scanning for compromised appliances impossible."

"The development of new tools, such as HTTP reverse shells and the use of more secure communication protocols like KCP, suggests they are actively working to evade detection and complicate efforts to attribute their activities," Sekoia said of Quad7 operators.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.