Network Firewalls, Network Access Control , Security Operations
Quad7 Botnet Operators Expand Targets, Aim for Stealth
VPN Endpoints, Wireless Routers and Network-Attached Storage Devices Are TargetsOperators behind a mysterious botnet named for a TCP routing port number are expanding the universe of targeted devices and taking steps to hide their infrastructure, warn Sekoia researchers.
See Also: Enhanced Security Resilience for Federal Government
The 7777 - or Quad7 - botnet appears to have emerged in 2023 and was primarily composed of hacked TP-Link routers. Sekoia on Monday said botnet operators seem to be compromising Zyxel VPN endpoints, Ruckus wireless routers and Axentra network-attached storage devices.
Researchers also track the botnet as "xlogin," since infected devices display a version of xlogin:
banners, with variants corresponding to infected devices. The axlogin
appears to be deployed on Axentra media servers, while rlogin
is tied to Ruckus wireless routers. Sekoia said it recently observed a decline in the xlogin
botnet that consists mostly of TP-Link routers.
Publicity generated by mounting researcher attention is apparently nudging operators into taking steps to hide their infrastructure. The hackers might also have decided that exposing a login interface on compromised routers is tantamount to letting other hackers take control of their bots. The researchers found evidence of backdoors acting as HTTP reverse shells beaconing back to a command-and-control server every 30 seconds. Still, the backdoor code "is poorly designed with several mistakes and remains very simple," Sekoia said.
Reverse shells aren't the only obfuscation technique Quad7 operators have embraced. They also now use the KCP communications protocol over UDP to control a tool dubbed "FysNet." Operators' adoption of KCP could indicate a shift from using simple open SOCKS proxies - making it harder for internet scanning engines and security researchers to track Quad7 bots.
Infected ASUS, De-Link and Netgear networking appliances also now may carry a netd
binary whose purpose appears to be converting the device into an operational relay box relay node. Unfortunately for cyber defenders, the binary's listening port is randomized for each infected device, "making wide-scale scanning for compromised appliances impossible."
"The development of new tools, such as HTTP reverse shells and the use of more secure communication protocols like KCP, suggests they are actively working to evade detection and complicate efforts to attribute their activities," Sekoia said of Quad7 operators.