The operators behind the Quad7 botnet, a sophisticated cybercriminal group targeting SOHO routers and VPN appliances, have recently expanded their operations with new tactics and tools. These developments, uncovered by the Sekoia TDR team, reveal that the Quad7 operators are rapidly evolving their botnet infrastructure to improve stealth and evasion, making it increasingly difficult to track their activities. This article explores the latest findings, including new botnet clusters, compromised devices, and the potential next steps of the Quad7 operators.
The Quad7 Botnet: An Expanding Network of Compromised Devices
The Quad7 botnet, also known as the 7777 or xlogin botnet, is primarily composed of compromised TP-Link routers that have been hijacked to create a network of infected devices. These routers are controlled via two key ports: TELNET/7777, which hosts a password-protected bind shell with root privileges, and port 11288, which operates a Socks5 proxy. The Socks5 proxy is mainly used for relaying brute force attacks on Microsoft 365 accounts, enabling the Quad7 operators to bypass detection and extend their reach.
In addition to TP-Link routers, the Quad7 operators have compromised a variety of other SOHO routers and VPN appliances, including models from Asus, Zyxel, Netgear, D-Link, and Axentra. By exploiting multiple vulnerabilities—some previously unknown—this group has steadily expanded its botnet, infecting thousands of devices globally. This makes the Quad7 botnet a formidable threat, capable of conducting large-scale brute force attacks and other malicious activities.
Evolution of the Toolset: New Backdoors and Reverse Shells
One of the most concerning developments is the Quad7 operators’ efforts to evolve their toolset. The Sekoia team discovered that they are experimenting with new protocols, including HTTP reverse shells, which allow for more stealthy data exfiltration and command-and-control operations. Traditionally, the botnet relied on simple Socks proxies to relay attacks, but the introduction of HTTP reverse shells indicates a shift toward more sophisticated techniques designed to evade tracking and interception.
These reverse shells can enable the attackers to maintain persistent access to compromised systems while minimizing the risk of detection. By using more advanced communication methods, the Quad7 botnet operators are positioning themselves to operate with greater stealth, making it more challenging for cybersecurity teams to monitor and disrupt their activities.
A Growing Family of Botnets: *Login Variants
The Quad7 operators manage a collection of botnets, each associated with different brands of compromised routers. These botnets are internally referred to as the *login family, with names like alogin, xlogin, rlogin, axlogin, and zylogin, corresponding to different types of devices and TCP ports used for control.
- Alogin Botnet: Composed of compromised Asus routers, this botnet operates on TELNET/63256, with the bind shell offering root privileges. A Socks5 proxy runs on port 63260, often used to relay attacks on internet-exposed services such as VPN, Telnet, and SSH. This botnet has been active since at least July 2023, with a peak of infected devices observed in mid-2024.
- Xlogin Botnet: Centered around TP-Link routers, this botnet has been in operation for a longer period. As of mid-2024, it has been in decline, with fewer new infections observed in recent months.
- Rlogin Botnet: Targeting Ruckus Wireless devices, this variant is newer and smaller, with only 213 infected devices as of August 2024. It operates on TELNET/63210 and features a password-protected bind shell, but unlike the other *login botnets, it does not open a proxy port on the compromised devices. The first infections were detected in June 2024.
- Axlogin and Zylogin Botnets: These variants target Axentra NAS devices and Zyxel VPN appliances, respectively. While axlogin has not been observed in widespread use, zylogin currently affects only eight devices. Both are relatively small in scale compared to the alogin and xlogin botnets.
This growing family of botnets illustrates the Quad7 operators’ ability to diversify their attack methods and adapt to different device types and environments. By targeting multiple brands and using a range of vulnerabilities, they can maximize their reach while avoiding detection by focusing on less-monitored systems.
Tracking Challenges and Future Threats
The Quad7 botnet operators are becoming increasingly difficult to track, particularly as they introduce new stealthy protocols and move away from open Socks proxies. Sekoia’s forensic analysis revealed that the Quad7 group is actively developing methods to avoid detection, which could soon render traditional tracking techniques ineffective.
One of the biggest challenges is the operators’ use of staging servers, which are frequently updated and repurposed to launch new attacks. These servers are often used to host implants and malware samples, providing a glimpse into the group’s evolving tactics. For example, one staging server was found hosting an alogin sample on VirusTotal, leading to the discovery of a new variant, rlogin, which targets Ruckus devices. This discovery underscores the operators’ continuous experimentation and development of new tools.
Without enhanced interception and detection capabilities, cybersecurity teams may struggle to keep pace with the Quad7 botnet’s evolution. As the group refines its techniques and expands its botnet, it is likely that future attacks will be harder to detect and more damaging.
Mitigation and Defensive Strategies
Given the growing threat posed by the Quad7 botnet operators, it is crucial for organizations to take proactive steps to protect their networks. This includes:
- Regular Patching: Ensuring that all SOHO routers and VPN appliances are regularly updated to patch known vulnerabilities is critical. Many of the devices compromised by Quad7 were infected via unpatched exploits, some of which were previously unknown.
- Network Segmentation: Isolating vulnerable devices from critical infrastructure can help limit the impact of a botnet infection. This is particularly important for routers and VPN appliances, which are often prime targets for botnet operators.
- Enhanced Monitoring: Implementing advanced monitoring and threat detection systems to identify unusual traffic patterns and unauthorized access attempts can help detect botnet activity before it spreads.
- Disable Unused Services: Closing unnecessary ports and disabling services like Telnet can reduce the attack surface and prevent unauthorized access to devices.
Conclusion
The Quad7 botnet operators are a highly adaptive and evolving threat, targeting a wide range of devices to build their botnet. With new tools like HTTP reverse shells and an expanding array of botnet clusters, the group is becoming harder to track and disrupt. As they continue to refine their techniques, organizations must stay vigilant, update their defenses, and monitor for signs of infection. The discovery of new botnet clusters tied to Quad7 is a clear indication that this group is far from finished, and future attacks are likely to be even more stealthy and damaging.