Microsoft: Chinese hackers use Quad7 botnet to steal credentials

Quad7 (four sevens)

Microsoft warns that Chinese threat actors use the Quad7 botnet, compromised of hacked SOHO routers, to steal credentials in password-spray attacks.

Quad7, also known as CovertNetwork-1658 or xlogin, is a botnet first discovered by security researcher Gi7w0rm that consists of compromised SOHO routers.

Later reports by Sekoia and Team Cymru reported that the threat actors are targeting routers and networking devices from TP-Link, ASUS, Ruckus wireless devices, Axentra NAS devices, and Zyxel VPN appliances.

When the devices are compromised, the threat actors deploy custom malware that allows remote access to the devices over Telnet, which display unique welcome banners based on the compromised device:

  • xlogin – Telnet bound to TCP port 7777 on TP-Link routers
  • alogin – Telnet bound to TCP port 63256 on ASUS routers
  • rlogin – Telnet bound to TCP port 63210 on Ruckus wireless devices.
  • axlogin – Telnet banner on Axentra NAS devices (port unknown as not seen in the wild)
  • zylogin – Telnet bound to TCP port 3256 on Zyxel VPN appliances

Other installed, the threat actors install a SOCKS5 proxy server that is used to proxy, or relay, malicious attacks while blending in with legitimate traffic to evade detection.

Quad7 botnet devices and what they are used for
Quad7 botnet devices and what they are used for
Source: Sekoia

While the botnet had not been attributed to a particular threat actor, Team Cymru tracked the proxy software used on these routers to a user living in Hangzhou, China.

Quad7 botnet used for password-spray attacks

Microsoft disclosed today that the Quad7 botnet is believed to operate from China, with multiple Chinese threat actors utilizing the compromised routers to steal credentials through password spray attacks.

“Microsoft assesses that credentials acquired from CovertNetwork-1658 password spray operations are used by multiple Chinese threat actors,” Microsoft says in a new report.

“In particular, Microsoft has observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658.”

When conducting the password spray attacks, Microsoft says the threat actors are not aggressive, only attempting to log in a few times per account, likely to avoid triggering any alarms.

“In these campaigns, CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization,” shared Microsoft.

“In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day.”

CovertNetwork-1658 count of sign-in attempts per account per day.
CovertNetwork-1658 count of sign-in attempts per account per day.
Source: Microsoft

However, once credentials are stolen, Microsoft has observed Storm-0940 utilizing them to breach targeted networks, sometimes on the same day they were stolen.

Once the network is breached, the threat actors spread further through the network by dumping credentials and installing RATs and proxy tools for persistence on the network.

The ultimate goal of the attack is to exfiltrate data from the targeted network, likely for cyber espionage purposes.

To this day, researchers have not determined precisely how the Quad7 threat actors are compromising SOHO routers and other network devices.

However, Sekoia observed one of their honeypots being breached by the Quad7 threat actors utilizing an OpenWRT zero-day.

“We waited less than a week before observing a notable attack that chained an unauthenticated file disclosure which seems to be not public at this time (according to a Google search) and a command injection,” explained Sekoia in July.

How the threat actors are breaching other devices remains a mystery.