Threat Research

Insights into Quad7 Operators’ Upcoming Strategies and Related Botnets

SekoiaIO

Quad7 botnet operators are expanding their footprint by compromising a range of SOHO routers and VPN appliances, introducing new backdoors and stealthy HTTP-based communications to evade detection. The findings describe new staging servers, additional targets and implants, five login clusters (alogin, xlogin, axlogin, rlogin, zylogin), and the testing of HTTP reverse shells such as UPDTAE to relay attacks. #Quad7 #alogin #xlogin #rlogin #zylogin #FsyNet #UPDTAE #ASUS #TP-Link #Zyxel #Axentra #D-Link #Netgear #Ruckus

Keypoints

  • Discovery of new staging servers linked to Quad7 botnet operators.
  • Compromised devices include TP-LINK, Zyxel, Asus, Axentra NAS, D-Link, and Netgear routers.
  • Operators are evolving their toolset, introducing new backdoors and stealthy communication methods.
  • Five different login clusters identified, including alogin, xlogin, axlogin, rlogin, and zylogin.
  • New HTTP reverse shells (UPDTAE backdoors) are being tested for deployment.
  • Quad7 operators are adapting tactics to evade detection and complicate attribution efforts.
  • Edge devices are increasingly targeted due to their vulnerabilities and accessibility.

MITRE Techniques

  • [T1078] Initial Access – Brute force on internet-exposed services. Quote: ‘Brute force attacks on internet-exposed services such as VPN, telnet, and SSH’.
  • [T1203] Execution – Exploitation for Client Execution – Deployment of backdoors and reverse shells on compromised devices. Quote: ‘Deployment of backdoors and reverse shells on compromised devices.’.
  • [T1050] Persistence – New Service – Installation of new services to maintain access to compromised devices. Quote: ‘Installation of new services to maintain access to compromised devices.’.
  • [T1071] Command and Control – Application Layer Protocol – Use of HTTP requests for command and control communications. Quote: ‘Use of HTTP requests for command and control communications.’.
  • [T1041] Exfiltration – Exfiltration Over Command and Control Channel – Sending data back to the attacker’s server through the established communication channels. Quote: ‘Sending data back to the attacker’s server through the established communication channels.’.

Indicators of Compromise

  • [IP Address] Quad7 infrastructure – 158.247.194.125:80, 45.77.44.119:80, 151.236.20.30:80, 103.140.239.63:80, 103.57.248.202:81 (OTHERS STAGING SERVERS: on demand)
  • [File Hash] Quad7 binaries – 408152285671bbd0e6e63bd71d6abaaf, 5efc7d824851be9ec90a97d889a40d23 (asr_node, node-relay); and 2 more hashes
  • [File Name] Implants – asr_node, rlogin, alogin, zylogin, axlogin, UPDTAE backdoor, netd

Read more: https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint