Botnets attack routers to gain control over these devices, turning them into “zombies” that can be used to carry out malicious activities.
While they execute all their illicit activities without getting detected, and they do activities like DDoS attacks, spreading malware, facilitating further network intrusions, and many more.
In October 2023, Gi7w0rm first referenced the “7777 botnet,” a network of about 10,000 nodes mainly involved in low-volume brute-force attacks on Microsoft Azure instances, making detection difficult with only 2-3 login attempts per week.
Initially thought to target VIP users, Sekoia’s research later discovered that there was no clear targeting pattern.
Besides this Team Cymru warned of this new botnet, as they unveiled this new botnet has been attacking the ASUS routers and opens port 63256.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Botnet Attacking ASUS Routers
The botnet, named for its unique use of TCP port 7777 on compromised routers, returns an xlogin: banner when scanned.
Attributions link Quad7 to cybercrime and state-sponsored activities, but the true operators remain unknown.
It can happen that you find Quad7 bots by checking if they have IP addresses with an open port 7777 showing the xlogin: banner.
One such scan over a period of thirty days recently revealed 7038, comparatively smaller than the 10,000 nodes reported by Gi7w0rm in October.
There are several reasons why this may be different from the initial findings which could have covered longer time periods or been done at shorter intervals.
Not only that even it might be also possible that users may have cleaned up their devices since then or updated their firmware to prevent attacks on their routers.
Despite this, Quad7 is still active and its main victims include Hikvision as well as TP-Link devices including the TP-LINK WR841N router.
In addition to this, some affected units also indicated an opened port 11288 which is used by a SOCKS5 proxy to direct traffic into third-party servers that are primarily targeting Microsoft Office 365 accounts using the brute-force attack method.
This proxy service was traced back to a GitHub user in Hangzhou, China who developed it under an open-source project.
This kind of specific insight into hardware models being targeted and botnet activity has proven helpful to security teams, including Team Cymru, working towards tracking and disrupting the operations of these networks.
Open port 11288 was found on the hosts in question, presenting a common banner (x05xff), prompting questions regarding the “7777 botnet.”
A growth has been observed, which added more than five thousand new ‘zombie’ devices, roughly 12,783 hosts were identified during the search for banners on ports 7777 (xlogin:) and 63256 (alogin:).
There is an alteration in TP-LINK routers associated with the 7777 botnet and ASUS routers linked to the 63256 botnet.
NetFlow analysis indicated that there are seven management IP addresses for both these botnets consequently unveiling their operational aspects besides connecting two infrastructures together.
Despite attempts to drain its effects, Quad7 remains a big-time adaptable threat.
Recommendations
Here below we have mentioned all the recommendations:-
- Maintain Up-to-Date Firmware
- Implement Robust Security Practices
- Continued Vigilance and Proactive Measures
- Collaboration and Information Sharing
- Utilize Advanced Tracking Tools
IoCs
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download