Quad7 Botnet Evolves: New Targets, New Threats

Researchers from Sekoia have reported on the evolution of the Quad7 botnet, which has begun targeting new devices, including Axentra media servers, Ruckus wireless routers, and Zyxel VPN appliances. Cybercriminals are actively exploiting vulnerabilities in SOHO and VPN devices, such as those from TP-Link, Zyxel, Asus, D-Link, and Netgear, to compromise them and integrate them into the botnet.

According to experts, the Quad7 botnet is used to launch distributed brute-force attacks on VPN, Telnet, SSH, and Microsoft 365 accounts. A recent Sekoia report also revealed the presence of new servers controlling the botnet, as well as new targets among network devices.

The botnet operators have segmented the devices into five distinct groups (alogin, xlogin, axlogin, rlogin, and zylogin), each aimed at specific types of equipment. For example, alogin targets Asus routers, while rlogin attacks Ruckus Wireless devices. Although the alogin and xlogin groups have compromised thousands of devices, rlogin has affected only 213 devices, making it smaller in scale but still dangerous. Other groups, such as axlogin and zylogin, focus on Axentra NAS and Zyxel VPNs.

A unique aspect of Quad7 is its use of compromised TP-Link routers, which attackers leverage to target Microsoft 365 accounts. These devices are exposed to remote administration and proxy connections, facilitating the execution of attacks.

Researchers also uncovered a new backdoor, humorously named UPDTAE due to a typo in the code. This backdoor enables remote control of infected devices via HTTP reverse connections, granting attackers full control over the compromised equipment.

In recent months, Quad7 operators have refined their botnet management tactics, adopting more covert methods of data transmission. Instead of using open SOCKS proxy servers, they have switched to the KCP protocol, which offers faster communication via UDP, though it demands more bandwidth. A new tool, FsyNet, has been introduced to obscure traffic and make detection more difficult.

Experts emphasize that the Quad7 botnet is actively adapting to new conditions. Past mistakes, such as poorly written code and reliance on open proxies, made it vulnerable to detection. However, botnet operators are now learning from these errors, improving their obfuscation techniques and avoiding detection.