Alert: New Botnet Attacks ASUS Routers, Opens Port 63256

The 7777 botnet, discovered in October 2023, comprises roughly 10,000 compromised routers identified by an open TCP port 7777 displaying an “xlogin:” banner, which executes low-volume, persistent brute-force attacks against Microsoft Azure, evading detection. 

While initially suspected of targeting VIP users, recent research indicates indiscriminate targeting, while the botnet’s operator remains unidentified, with attributions to both cybercriminal and state-sponsored actors lacking concrete evidence. 

Analysis indicates the Quad7 threat actor has expanded its botnet operations to include a second bot variant using port 63256, primarily targeting Asus routers. Over the past 30 days, 12,783 active bots across both port variants were observed, suggesting a substantial botnet. 

Seven unique management IPs were identified, four of which correlate with existing Sekoia research, while three remain unattributed, which suggests a potential evolution in the Quad7 threat landscape. 

Quad7 Bots

7,038 devices have been infected with the Quad7 botnet over the past 30 days by scanning for open port 7777 displaying the xlogin: banner. 

Scan data provides an incomplete picture of botnet scale due to offline devices. Despite this, the Quad7 botnet persists with a significant number of bots, primarily used for low-volume brute force attacks. 

A high prevalence of compromised TP-Link routers is consistent with previous research. Identifying specific router models aids in understanding botnet propagation and enables proactive defense strategies to protect vulnerable infrastructure. 

Router Tag Example

Research has confirmed that Quad7 botnet hosts often expose a SOCKS5 proxy service on port 11288, leveraging an open-source proxy developed by a Chinese GitHub user. 

Threat actors utilize this proxy to route brute-force attacks targeting Microsoft 365 accounts, as evidenced by connections to login.microsoftonline.com. Consistent with previous findings, analysis of hosts with open port 11288 revealed a common banner, reinforcing the association with Quad7 botnet activity. 

 Open Ports Information

Open port data reveals a new botnet, 63256, distinct from the previously identified 7777 botnet, despite similar banner information, which utilizes port 63256 and primarily targets ASUS routers, unlike 7777, which focuses on TP-LINK routers and IP cameras. 

There are over 12,000 infected devices across the two botnets when they are combined, which indicates that the Quad7 actor is facing a more extensive threat landscape. 

 Infrastructure Diagram

NetFlow analysis identified seven IPs across three providers associated with the Quad7 botnet, expanding on Sekoia’s research. One IP exclusively communicates with bots on port 7777, providing remote shell access to threat actors. 

The remaining six IPs connect to bots on port 11288, likely proxying attacks, while one IP links the Quad7 and 63256 botnets, confirming their association while indicating distinct operational silos. 

The Quad7 botnet persists, expanding its reach beyond the original 7777 botnet to include a 63256 botnet primarily targeting ASUS routers. Despite ongoing mitigation efforts, the botnet remains active with a substantial compromised device base. 

Research by Team Cymru identified key botnet infrastructure elements, including seven management IPs and their communication patterns. While the two botnets operate independently, they collectively demonstrate the evolving tactics of the threat actors. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here