Connect with us

Tech

Microsoft Reports Chinese Hackers Leveraging Quad7 Botnet for Credential Theft

Published

on

Microsoft has issued a warning regarding Chinese threat actors using the Quad7 botnet, composed of compromised SOHO routers, to conduct password-spray attacks and steal credentials. This botnet, also known as CovertNetwork-1658 or xlogin, was first uncovered by security researcher Gi7w0rm. It involves hacked routers from brands like TP-Link, ASUS, Ruckus, Axentra, and Zyxel, allowing hackers to deploy custom malware for remote access over Telnet with unique banners for each device type.

Infected routers display different Telnet banners, such as:

  • xlogin on TP-Link routers (port 7777)
  • alogin on ASUS routers (port 63256)
  • rlogin on Ruckus devices (port 63210)
  • axlogin on Axentra NAS devices (port unknown)
  • zylogin on Zyxel VPN devices (port 3256)

Once compromised, a SOCKS5 proxy server is installed, enabling malicious attacks to blend with legitimate traffic and evade detection. Team Cymru linked the Quad7 botnet’s proxy software to a user based in Hangzhou, China, although no specific threat actor has been identified.

ALSO READ: Empanelment for Speakers, Trainers, and Cyber Security Experts Opens at Future Crime Research Foundation

Microsoft observed that multiple Chinese threat actors are leveraging the botnet for password-spray attacks. One such actor, Storm-0940, was noted for targeting networks using the stolen credentials to breach further, deploy RATs, and exfiltrate data, likely for espionage purposes. Microsoft’s report reveals that the attackers use a subtle approach, attempting only a few logins per account to avoid detection. In 80% of cases, only one login attempt is made per day.

The method of router compromise remains uncertain, though Sekoia reported observing an OpenWRT zero-day exploit in one of its honeypots. The attack exploited an unauthenticated file disclosure and command injection, highlighting the persistent risks posed by advanced cyber actors.

Follow The420.in on

 TelegramFacebookTwitterLinkedInInstagram and YouTube

Continue Reading