Quad7 Botnet Exploits Hacked Routers to Steal Credentials
Microsoft security experts have issued a warning that Chinese hackers are using the Quad7 botnet (also known as Botnet-7777, CovertNetwork-1658, and xlogin), which consists of thousands of compromised routers, to steal credentials and carry out password spray attacks.
The router-based botnet was first discovered in October 2023 by independent cybersecurity researcher Gi7w0rm, who named it Botnet-7777 due to its use of port 7777. Later, experts from Sekoia and Team Cymru reported that the botnet was aggressively targeting routers and network devices from TP-Link and Asus, Ruckus wireless devices, Axentra NAS, and Zyxel VPNs.
After breaching these devices, attackers deploy custom malware that enables remote access via Telnet and displays different banners depending on the compromised device:
- xlogin β Telnet bound to TCP port 7777 on TP-Link routers
- alogin β Telnet bound to TCP port 63256 on ASUS routers
- rlogin β Telnet bound to TCP port 63210 on Ruckus devices
- axlogin β Telnet on Axentra NAS devices (port unknown)
- zylogin β Telnet bound to TCP port 3256 on Zyxel VPN devices
In other cases, hackers install a SOCKS5 proxy server on compromised devices, which is used to proxy attacks and blend malicious activity with legitimate traffic to evade detection.
Quad7βs Operations and Attack Methods
According to Microsoft, the Quad7 botnet (referred to as CovertNetwork-1658 in their classification) is believed to be linked to China, with around 8,000 infected devices active daily. Several Chinese hacking groups, including Storm-0940, are using these compromised routers to steal credentials and conduct password spray attacks.
Researchers note that the hackers do not make excessive login attempts, likely to avoid drawing attention. βIn these campaigns, CovertNetwork-1658 makes a very small number of login attempts on many accounts within a targeted organization. In about 80% of cases, CovertNetwork-1658 makes only one login attempt per account per day,β Microsoft reports.
Credential Theft and Network Intrusion
Sometimes, after stealing credentials, the Storm-0940 group uses them to compromise target networks on the same day. Once inside, the hackers move laterally, steal additional credentials, and deploy RATs (Remote Access Trojans) and proxy tools. The ultimate goal of these attacks appears to be data theft, likely for cyber-espionage purposes.
Attack Chain Example: TP-Link Devices
Itβs important to note that researchers have not yet determined exactly how Quad7 operators are compromising routers and other network devices. According to Sekoia, one of their companyβs honeypots was breached by Quad7 using a zero-day vulnerability in OpenWRT. However, the methods used to hack other devices remain unknown.