Tech
Microsoft Reports Chinese Hackers Leveraging Quad7 Botnet for Credential Theft
Microsoft has issued a warning regarding Chinese threat actors using the Quad7 botnet, composed of compromised SOHO routers, to conduct password-spray attacks and steal credentials. This botnet, also known as CovertNetwork-1658 or xlogin, was first uncovered by security researcher Gi7w0rm. It involves hacked routers from brands like TP-Link, ASUS, Ruckus, Axentra, and Zyxel, allowing hackers to deploy custom malware for remote access over Telnet with unique banners for each device type.
Infected routers display different Telnet banners, such as:
- xlogin on TP-Link routers (port 7777)
- alogin on ASUS routers (port 63256)
- rlogin on Ruckus devices (port 63210)
- axlogin on Axentra NAS devices (port unknown)
- zylogin on Zyxel VPN devices (port 3256)
Once compromised, a SOCKS5 proxy server is installed, enabling malicious attacks to blend with legitimate traffic and evade detection. Team Cymru linked the Quad7 botnet’s proxy software to a user based in Hangzhou, China, although no specific threat actor has been identified.
Microsoft observed that multiple Chinese threat actors are leveraging the botnet for password-spray attacks. One such actor, Storm-0940, was noted for targeting networks using the stolen credentials to breach further, deploy RATs, and exfiltrate data, likely for espionage purposes. Microsoft’s report reveals that the attackers use a subtle approach, attempting only a few logins per account to avoid detection. In 80% of cases, only one login attempt is made per day.
The method of router compromise remains uncertain, though Sekoia reported observing an OpenWRT zero-day exploit in one of its honeypots. The attack exploited an unauthenticated file disclosure and command injection, highlighting the persistent risks posed by advanced cyber actors.