Previously, Microsoft warned that Chinese hackers used the Quad7 botnet, compromised from hacked small office/home office (SOHO) routers, to steal credentials in password-spray attacks.
SOHO routers are usually the main choice for small and medium businesses (SMEs) that need a stable internet connection.
Quad7, also known as CovertNetwork-1658 or xlogin, is a botnet first discovered by security researcher Gi7w0rm (consisting of compromised SOHO routers).
Later reports by Sekoia and Team Cymru reported that Chinese hackers targeted routers and network devices from TP-Link, ASUS, Ruckus wireless devices, Axentra NAS devices, and Zyxel VPN equipment.
When a device is compromised, hackers deploy custom malware that allows remote access to the device via Telnet, which displays a ‘unique welcome banner’ based on the compromised device.
In addition to the installed router, the threat actor also installed a SOCKS5 proxy server to carry out malicious attacks while blending in with legitimate tfaffic to avoid security detection.
Although the botnet has not been linked to a specific threat actor, Team Cymru traced the proxy software used on the router to a user living in Hangzhou, China.