Photo: WhataWin/Shutterstock.com
Quad7 botnet operators have expanded their operations to target small offices and home offices (SOHO) routers and VPN appliances including TP-Link, Zyxel, Asus, Axentra, D-Link, and Netgear. For this purpose, they are evolving their toolset with a new reverse shell.
The Quad7 botnet is known for using ports 7777 and 11288 to facilitate brute force attacks, particularly targeting Microsoft 365 accounts through its Socks5 proxy. However, the operators are now developing more complex tools, including HTTP reverse shells, to enhance their stealth.
Researchers have tracked the login clusters, which include the alogin, xlogin, axlogin, rlogin, and zylogin botnets. These clusters target different types of routers and devices, from Asus to Zyxel VPN appliances.
The algoin botnet, for instance, uses compromised Asus, with ports 63256 and 63260 opened to facilitate brute force attempts on services like VPNs, Telnet, and SSH. The rlogin botnet, meanwhile, appears to have a smaller footprint, with just over 200 devices compromised.
Similarly, axlogin targeted Axentra and zylogin was deployed to hijack Zyxel VPNs.
As researchers continued to track Quad7’s developments, they discovered that the operators are moving away from open socks proxies — a method commonly used to relay attacks. The botnet operators are now testing new reverse shells, referred to as the “UPDATE backdoor,” designed to communicate via HTTP rather than traditional proxy methods.
Researchers have discovered that three implants of this new reverse shell have been activated targeting Asus and Axentra NAS routers.
“Beside the discovery of the new login samples, we also found three backdoors acting as HTTP-based reverse shells, nicknamed UPDTAE backdoor because of a typo. These backdoors seem to be currently tested by the operators prior to deployment on compromised routers,” researchers said.
This strategic shift allows the botnet to evade detection by researchers and scanning engines that rely on identifying open ports. This approach, driven by a desire to remain under the radar, is a direct response to the increased scrutiny by the cybersecurity community, researchers believe.
By avoiding login interfaces on compromised routers, Quad7 operators aim to complicate efforts to track their operations and prevent other threat actors from hijacking their infrastructure.
In a further twist, researchers discovered that the Quad7 operators have been working on a new project, Fsynet, which uses the KCP communication protocol. This protocol offers similar benefits to TCP but with lower latency, providing the botnet operators with faster and more reliable communication channels.
The new communication layer opens UDP ports, further obfuscating the operators’ activities. The FsyNet project was first identified in compromised Ruckus Wireless devices, but it appears the operators are testing these tactics on various platforms, potentially expanding their reach.
“It is critical for defenders to stay vigilant, adapt their detection methods, and continue to track these actors closely as they evolve,” researchers concluded.
In the News: ANI sues Netflix over unauthorised use of footage in IC 814 series