Flash Notice: Quad7 Botnet Exploiting Router Flaws

overview

Microsoft has recently revealed evidence of a large number of password spray attacks from the Chinese threat-actor Storm-0940. These attacks leverage the botnet known as Quad7 as the primary avenue of attack.  

Quad7 has been observed since late 2019 and gained its name for its unique pattern of opening port 7777 on infected devices. Since 2019 it has been observed in use all over the world for leveraging attacks against C-Level employee logins. Quad7 uses a “low and slow” approach of only attempting 2-3 logins per week so as to avoid automatic lock-outs that might alert security elements.  

The number of observed devices rises and falls over time, usually in conjunction with public disclosure. When devices are reveled as part of the Botnet, the operators shut down operations and wipe their traces while they search for new devices to compromise. Quad7 prefers to remain as anonymous as possible by exploiting vulnerabilities in network devices, rather than attempting to trick employees into allowing them in.  

how avertium is protecting our customers

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

• e6f6a6de285d7c2361c32b1f29a6c3f6 | Control Node for Quad7 
• cdb37db4543dde5ca2bd98a43699828f | Debug detection for Quad7 
• 92093dd7ba6ae8fe34a215c4c4bd1cd4 | relay node for Quad7 
• 8542a3cbe232fe78baa0882736c61926 | "alogin" file for Quad7 
• 777d6f907da38365924a0c2a12e973c5 | "alogin" file for Quad7 
• 65465fdcf50f79272d6b38b30181278c2442ae13 | "alogin" file for Quad7 
• 5efc7d824851be9ec90a97d889a40d23 | ASR Node for Quad7 
• 43ea387b8294cc4d0baaef6d26ff7c72 | "rlogin" file for Quad7 
  
  

TTPs TO MONITOR

The Quad7 Botnet, also known as the 7777 or xlogin botnet, employs several tactics from the MITRE ATT&CK framework. The top five tactics associated with this botnet are: 

1. Initial Access (TA0001): The botnet operators exploit vulnerabilities in various Small Office/Home Office (SOHO) routers and VPN appliances, including devices from TP-Link, Zyxel, Asus, Axentra, D-Link, and Netgear, to gain unauthorized access. Sekoia Blog 
2. Execution (TA0002): After gaining access, the attackers execute malicious code on the compromised devices, such as installing bind shells and SOCKS5 proxies, to establish control and facilitate further malicious activities. BitSight 
3. Persistence (TA0003): To maintain long-term access, the botnet deploys backdoors like the "UPDTAE" reverse shell, allowing continuous remote control over the infected devices. Sekoia Blog 
4. Command and Control (TA0011): The botnet utilizes various communication protocols, including HTTP reverse shells and the KCP protocol over UDP, to manage and control the compromised devices while evading detection. Sekoia Blog 
5. Credential Access (TA0006): The compromised devices are used to relay brute-force attacks on services like Microsoft 365 accounts, aiming to harvest valid credentials for further exploitation. BitSight 

additional recommendations

• Ensure that routers, VPN devices, and IoT devices have the latest firmware installed. Many exploits leverage outdated software with known vulnerabilities. 
• Use strong, unique passwords for each device and avoid default or commonly used passwords, which are easy targets for brute-force attacks. 
• Disable remote management, Telnet, or other services that aren’t in use. Also, ensure that in-use remote connections are secured with a VPN. 
• Educate network users or family members on cybersecurity best practices, like avoiding clicking on suspicious links, as malware can also spread via phishing attacks targeting routers. 

ADDITIONAL SERVICE OFFERINGS

• Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  
• Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
• Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
  • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
  • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
  • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).

SUPPORTING DOCUMENTATION