According to several security researchers who have been closely monitoring the malware’s recent development, the Quad7 botnet operators have been busy adding new features and expanding their attack surface.
Quad7 was first spotted by a researcher alias Gi7w0rm and experts from Sekoia, when it was only observed targeting TP-Link routers. However, in the following weeks, Quad7 (so named because it targeted port 7777) expanded to ASUS routers and has now been observed on Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.
To compromise these endpoints, a custom malware was written, the researchers explained. For different types of devices, the botnet has different clusters. Each cluster is a variant of *login, it was explained, with Ruckus, for example, having the ‘rlogin’ cluster. Other clusters include xlogin, alogin, axlogin, and zylogin. Some clusters are relatively large, counting ‘thousands’ of assimilated devices. Others are smaller, counting only two infections.
Mnemonic Keys and Seed Phrases
The researchers don’t know why some of these clusters are so small and suspect they are still in an experimental phase and could grow rapidly in number once they are ready to be deployed.
The purpose of the campaign is also a mystery, but the most likely use case is for distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.
In addition to the expansion, the botnet also improved in terms of communication and obfuscation. It is apparently much better at evading detection, as well as in operational effectiveness.
The best way to defend against these types of botnets is to always keep the firmware and software of the devices up to date. If an endpoint is older and no longer supported by the OEM, replacing it with a newer model is the best way to go.
Via BleepingComputer