A major Chinese botnet called Quad7 is being used to launch password spray attacks on organizations in the West, Microsoft experts have warned.
In a new reportAccording to company researchers, the group, dubbed Storm-0940, then uses the passwords to achieve persistence, steal even more credentials, and ultimately engage in more disruptive cyberattacks.
The end goal of the campaign is most likely espionage, Microsoft believes, as targets include think tanks, government organizations, non-governmental organizations, law firms, defense industrial bases and more.
Targeted at SOHO routers
“Specifically, Microsoft observed the Chinese threat actor Storm-0940 using credentials from CovertNetwork-1658,” the report states, adding that the group was extra careful not to be spotted.
“In these campaigns, CovertNetwork-1658 sends a very small number of login attempts to many accounts at a target organization,” it said. “In approximately 80 percent of cases, CovertNetwork-1658 makes only one login attempt per account per day.”
But once a hit is made, Storm-0940 closes in to further endanger the target. Microsoft even said that in some cases the infiltration occurred the same day the passwords were guessed. Storm-0940’s first step was to dump credentials and install RATs and proxies for persistence.
Quad7 is a fairly well-known botnet. In late September 2024, we reported that the botnet had added new features and expanded its attack surface. It was first noticed by a researcher alias Gi7w0rm and experts from Sekoia, when it only targeted TP-Link routers. However, in the following weeks, Quad7 (so named for targeting port 7777) expanded to ASUS routers, and has now been spotted on Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.
The attackers built custom malware to compromise these endpoints, targeting different clusters. Each cluster is a variant of *login, with Ruckus, for example, having the cluster ‘rlogin’. Other clusters include xlogin, alogin, axlogin and zylogin. Some clusters are relatively large and contain thousands of assimilated devices. Others are smaller and count only two infections.