Analysis Summary

Using a combination of known and unknown vulnerabilities, the operators of the enigmatic Quad7 botnet are actively evolving, compromising multiple manufacturers of SOHO routers and VPN appliances.

Devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR are among the targets, according to a recent report. To improve stealth and avoid being tracked by their operational relay boxes (ORBs), the Quad7 botnet operators seem to be experimenting with new protocols and adding new tools to their arsenal. In October 2023, researchers made Quad7, also known as 7777, publicly known by exposing the activity cluster's tendency to ensnare Dahua DVRs and TP-Link routers into a botnet.

The botnet has been seen brute-forcing Microsoft 3665 and Azure instances. It gets its name from the fact that it opens TCP port 7777 on infected computers. Though at a very low rate, it also seems to infect other systems, such as MVPower, Zyxel NAS, and GitLab. Not only does the botnet launch a service on port 7777, but on port 11228 it also spins up a SOCKS5 server.

Following months of investigation by researchers, it was discovered that the botnet had not only infiltrated TP-Link routers in Ukraine, Russia, Bulgaria, and the United States, but it had also grown to target ASUS routers with TCP ports 63256 and 63260 open. The botnet consists of three more clusters:

• The xlogin botnet, often known as the 7777 botnet, is made up of infected TP-Link routers with TCP ports 7777 and 11288 open.
• The infected ASUS routers that make up the alogin (also known as the 63256 botnet) have both TCP ports 63256 and 63260 open.
• The compromised Ruckus Wireless devices that make up the rlogin botnet have TCP port 63210 open.
• The botnet axlogin can attack Axentra NAS devices; it hasn't been found in the wild yet.
• TCP port 3256 on compromised Zyxel VPN appliances makes up the botnet known as zylogin.

The U.S. (733), Ukraine (697), and Bulgaria (1,093) have the highest rates of infection. The threat actors are now using a new backdoor known as UPDTAE, which creates an HTTP-based reverse shell and allows them to take remote control of infected devices and carry out commands provided via a command-and-control (C2) server. This is another example of how their tactics are evolving. The researchers stated that the behavior is probably the work of a Chinese state-sponsored threat actor, however, it is currently unclear what the actual objective of the botnet is or who is behind it.

Impact

• Unauthorized Access
• Denial of Service
• Security Bypass
• Operational Disruption

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Upgrade your operating system.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.