Quad7, commonly known as 7777, was first made public in October 2023 by independent researcher Gi7w0rm. This report highlighted the activity cluster’s tendency to ensnare Dahua DVRs and TP-Link routers into a botnet. The botnet has been seen brute-forcing Microsoft 3665 and Azure instances. It gets its name from the fact that it opens TCP port 7777 on infected computers.
Targeting more SOHO devices with new custom malware for Ruckus wireless routers, Zyxel VPN appliances, and Axentra media servers, the Quad7 botnet is expanding its operations. Using a combination of known and unknown security holes, the operators of the enigmatic Quad7 botnet are actively evolving, compromising multiple manufacturers of SOHO routers and VPN gadgets. In a new study, Sekoia warns about the growth of Quad7, pointing out that it is using new backdoors and reverse shells, establishing new staging servers, initiating new botnet clusters, and abandoning SOCKS proxies in favor of more covert operations.
The researchers said that a unique piece of malware was created to infiltrate these endpoints. The botnet consists of different clusters for different kinds of devices. It was explained that each cluster is a variation of *login, with Ruckus, for example, having the ‘rlogin’ cluster. Other clusters include xlogin, alogin, axlogin, and zylogin. There are several comparatively large clusters that have “thousands” of assimilated devices in them. Some are less severe, with as few as two infections.
Earlier in January, Jacob Baines of VulnCheck stated, “The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume. The botnet doesn’t just start a service on port 7777. It also spins up a SOCKS5 server on port 11228”.
