HQ/EMEAFind out how we can help your business
The Quad7 botnet campaign has expanded its scope by targeting more SOHO devices using a new malware that compromises Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers.
These new campaigns are in addition to the TP-Link router attacks previously discovered by researchers, who named the botnet after it targeted port 7777. Moreover, the researchers acquired a new report warning about Quad7’s evolution, which includes setting up new staging servers, creating new botnet clusters, using new backdoors and reverse shells, and moving away from SOCKS proxies for more discreet cybercriminal activity.
The botnet’s ongoing evolution shows that the flaws revealed by cybersecurity studies did not discourage malware authors, who are now trying to develop more evasive technology. Its operational purpose is still a mystery, but it could be used to execute widespread brute force attacks on Telnet, SSH, VPNs, and MS 365 accounts.
The Quad7 botnet campaign includes Zyxel and Ruckus in its targeted scope.
According to investigations, the Quad7 botnet comprises multiple subclusters known as *login variations, each targeting a specific device and displaying a particular welcome banner when connected to the Telnet port.
Researchers also noted that massive clusters, such as ‘xlogin’ and ‘alogin,’ contain several thousand devices.
Others, such as ‘rlogin,’ which started a couple of months ago, only have 298 infections. The zylogin cluster is relatively modest, including only two machines. Currently, there are no current infections in the axlogin cluster.
However, these emerging subclusters could appear from their testing phase or integrate new vulnerabilities that target more broadly exposed models, so the threat remains high. Therefore, users should install the most recent firmware security update for targeted models, change the default admin credentials to a more challenging password to guess, and disable web admin portals if they are not required to reduce the chance of botnet infections.
Researchers recommended that if a user’s device is no longer supported or has reached its end-of-life, its user should strongly consider upgrading to a newer model that will continue to receive security updates.
