September 11, 2024 at 01:06PM
The mysterious Quad7 botnet is actively evolving by compromising various SOHO routers and VPN appliances using a mix of known and unknown security flaws. The operators are advancing their toolset, introducing a new backdoor and exploring new protocols to enhance stealth. The botnet has infected devices from several brands and appears to have expanded to target new router types. There are indications that the operators may be Chinese state-sponsored threat actors aiming to enhance their stealth and avoid detection. Follow us on Twitter and LinkedIn for more exclusive content.
From the meeting notes:
– The Quad7 botnet is actively evolving to compromise SOHO routers and VPN appliances using a combination of known and unknown security flaws.
– Targeted devices include those from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR.
– Quad7 was first documented in October 2023 and has been observed brute-forcing Microsoft 365 and Azure instances.
– The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume.
– Sekoia and Team Cymru’s analyses have found that the botnet has compromised TP-Link and ASUS routers in Bulgaria, Russia, the U.S., and Ukraine, and has also expanded to target additional devices.
– The botnet is comprised of four additional clusters targeting different devices.
– The threat actors now utilize a new backdoor dubbed UPDTAE, establishing an HTTP-based reverse shell to execute commands sent from a command-and-control (C2) server.
– The activity is likely the work of a Chinese state-sponsored threat actor.
Please let me know if you need any further information or analysis based on these meeting notes.