Sekoia.io investigates the Quad7/7777 botnet, a long-running IoT threat that hijacks TP-Link routers to relay password-spraying attacks against Microsoft 365 accounts. The report details how the operators use SOCKS proxies, remote access via Telnet/SSH, and a linked set of malware components, while noting attribution remains unclear and the threat could be hijacked by others. #Quad7 #7777 #TP-Link #Dropbear #xlogin #Socks5 #Microsoft365 #PasswordSpraying
Keypoints
- Quad7/7777 botnet leverages compromised TP-Link routers to relay password spraying attempts against Microsoft 365 accounts via SOCKS proxies.
- The investigation intercepted network communications on a TP-Link WR841N in France and used a Raspberry Pi for live forensic analysis.
- Most observed compromised devices appeared to be TP-Link routers; evidence suggests at least one exploit chain to gain remote code execution against management interfaces.
- Exploits include an unauthenticated file disclosure and a command-injection vulnerability in TP-Link Parental Control pages, enabling RCE.
- Overlaps with other actors exist (e.g., an overlap with a D-Link compromise), but Quad7 appears distinct and primarily focused on SOHO/IoT targets for O365 credential spraying.
- The investigation involved physical intervention plans (inline TAP and UART access) to retrieve malware from a router (Archer C7 v2.0).
- Defensive takeaways emphasize restricting remote administration, monitoring edge devices, and looking for distinctive Quad7 authentication patterns in Entra ID/Microsoft 365 logs.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The Quad7 operators exploited a known command injection vulnerability in the Parental Control page to achieve remote code execution (‘…exploited a known command injection vulnerability in the Parental Control page to achieve the RCE.’)
- [T1021.004] Telnet – Compromised routers expose TELNET/7777 and host xlogin; attackers interact via TELNET-based access (‘the xlogin bind shell’ and TELNET/7777 port activity).
- [T1021.003] SSH – Attackers use SSH through Dropbear to obtain a root shell and transfer malware (‘Dropbear (a pre-installed lightweight SSH agent) on a higher port’).
- [T1090] Proxy – The botnet uses SOCKS proxies on compromised devices to relay brute-force attempts against Microsoft 365 (‘deploying Socks5 proxies on compromised devices to relay extremely slow “bruteforce” attacks against Microsoft 365 accounts’).
- [T1105] Ingress Tool Transfer – Binaries were pushed onto the compromised router, including Telnet binary, xlogin, and Socks5 proxy (‘binaries consisted of a Telnet binary coming from BusyBox … and a Socks5 proxy derived from bhhbazinga’s Sock5 open source project’).
- [T1059] Command and Scripting Interpreter – The attackers run and manage binaries (telnetd, xlogin, socks5) on the device, indicating command-line interpreter use (‘three binaries: telnetd, xlogin, and socks5’).
Indicators of Compromise
- [IP Address] – 142.11.205.164, 23.254.201.175, used by servers authenticated to the socks proxy to reach login.microsoftonline.com.
- [IP Address] – 151.236.20.185, 151.236.20.211, used to check exit node IPs and to issue HTTP requests for whatismyip.akamai.com.
- [Domain] – whatismyip.akamai.com – used to verify public IP address exposure during proxy checks.
- [File/Path] – /tmp/dropbear/dropbearpwd – credentials stored on router for re-authentication attempts.
- [File/Path] – xlogin – bind shell binary used to gain interactive access.
- [File/Path] – socks5 – proxy binary used to relay brute-force traffic to targets.
- [File/Path] – init.sh – one of the initial startup scripts observed on the router.
- [File/Path] – microsocks – socks proxy component observed in the malware suite.
- [Hash] – 98d3764862b182417c910a96e0fbfe71, 386bf8259668c0abb6c72fdcae904164, 69ced04a2ec895084d3aab1086216d32, 29e6df5bb30ed8fd12c09d9b6890ab4f, and 2 more hashes.
Read more: https://blog.sekoia.io/solving-the-7777-botnet-enigma-a-cybersecurity-quest/