fbpx
Tuesday, September 17, 2024
Cyber SecurityTechnology

Quad7 botnet targets more SOHO and VPN routers, media servers

by Wire Tech

The Quad7 botnet is evolving its operation by targeting additional SOHO devices with new custom malware for Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers.

This comes in addition to the TP-Link routers reported previously by Sekoia, and first reported by researcher Gi7w0rm, who gave the botnet its name due to targeting port 7777. Also, the ASUS routers targeted by a separate cluster discovered by Team Cymru two weeks later.

Sekoia has compiled a new report warning about the evolution of Quad7, which includes setting up new staging servers, launching new botnet clusters, employing new backdoors and reverse shells, and moving away from SOCKS proxies for a stealthier operation.

The continued evolution of the botnet shows that its creators were not deterred by the mistakes exposed by cybersecurity analysis and are now transitioning to more evasive technologies.

Trending
Unprecedented diarrheal outbreak erupts in UK as cases spike 3x above usual

Quad7's operational goal remains murky, possibly for launching distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.

New clusters target Zyxel and Ruckus

The Quad7 botnet comprises several subclusters identified as variants of *login, with each of them targeting specific devices and displaying a different welcome banner when connecting to the Telnet port.

For example, the Telnet welcome banner on Ruckus wireless devices is 'rlogin,' as illustrated by the Censys result below.

Infected Ruckus device found on Censys
Infected Ruckus device found on Censys
Source: BleepingComputer

The complete list of malicious clusters and their welcome banners are:

  • xlogin – Telnet bound to TCP port 7777 on TP-Link routers
  • alogin – Telnet bound to TCP port 63256 on ASUS routers
  • rlogin – Telnet bound to TCP port 63210 on Ruckus wireless devices.
  • axlogin – Telnet banner on Axentra NAS devices (Porn unknown as not seen in the wild)
  • zylogin – Telnet bound to TCP port 3256 on Zyxel VPN appliances

Some of these large clusters, like 'xlogin' and 'alogin', compromise several thousand devices.

Others, like 'rlogin,' which started around June 2024, only count 298 infections as of this publication. The 'zylogin' cluster is also very small, with only two devices. The axlogin cluster does not show any active infections at this time.

Still, these emerging subclusters could spring out of their experimental phase or incorporate new vulnerabilities that target more widely exposed models, so the threat remains significant.

Quad7's subclusters
Quad7's subclusters
Source: Sekoia

Evolution in communication and tactics

Sekoia's latest findings show that the Quad7 botnet has evolved significantly in its communication methods and tactics, focusing on detection evasion and better operational effectiveness.

First, the open SOCKS proxies, in which the botnet relied heavily on previous versions for relaying malicious traffic, such as brute-forcing attempts, are being phased out.

Instead, Quad7 operators now utilize the KCP communication protocol to relay attacks via a new tool, ' FsyNet,' that communicates over UDP, making detecting and tracking much harder.

FsyNet's communication decryption process
Source: Sekoia

Also, the threat actors now utilize a new backdoor named 'UPDTAE' that establishes HTTP reverse shells for remote control on the infected devices.

This allows the operators to control the devices without exposing login interfaces and leaving ports open that are easily discoverable via internet scans, like Censys.

Reverse shell communication
Source: Sekoia

There's also experimentation with a new 'netd' binary that uses the darknet-like protocol CJD route2, so an even stealthier communication mechanism is likely in the works.

To mitigate the risk of botnet infections, apply your model's latest firmware security update, change the default admin credentials with a strong password, and disable web admin portals if not needed.

If your device is no longer supported, you are strongly advised to upgrade to a newer model that continues to receive security updates.

Related Articles:

French police push PlugX malware self-destruct payload to clean PCs

SpyAgent Android malware steals your crypto recovery phrases from images

Zyxel warns of critical OS command injection flaw in routers

GitHub comments abused to push password stealing malware masked as fixes

New Voldemort malware abuses Google Sheets to store stolen data

________________________________________________________________________________________________________________________________
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________

You may also like

Google Fixes GCP Composer Flaw That Could’ve Led to Remote Code Execution

North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware

Microsoft fixes bug crashing Microsoft 365 apps when typing

Apple Drops Spyware Case Against NSO Group, Citing Risk of Threat Intelligence...

US cracks down on spyware vendor Intellexa with more sanctions

Windows vulnerability abused braille “spaces” in zero-day attacks

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Unlock the Power of Technology with Tech-Wire: The Ultimate Resource for Computing, Cybersecurity, and Mobile Technology Insights

  • Mumbai, India
  • Email: info@tech-wire.in

Recent Posts

Google backs privately funded satellite constellation for wildfire detection
Ban warnings fly as users dare to probe the “thoughts”...
The Most Popular Social Apps Among Gen Z Consumers [Infographic]

Userful Links

Our Policies

POPULAR CATEGORIES

Copyright @2023 All Right Reserved 

Facebook Twitter Instagram Linkedin Rss
@2021 - All Right Reserved. Designed and Developed by PenciDesign