The operators of the Quad7 botnet have been busy, adding new features and expanding their attack surface, according to multiple security researchers who have been keeping tabs on the malware’s recent evolution.
Quad7 was first spotted by a researcher alias Gi7w0rm, and experts from Sekoia, when it was only observed targeting TP-Link routers. However, during the following weeks, Quad7 (which was named so for targeting port 7777), expanded to ASUS routers, and now has been observed on Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.
To compromise these endpoints, a custom malware was written, the researchers further explained. For different types of devices, the botnet has different clusters. Each cluster is a variant of *login, it was explained, with Ruckus, for example, having the ‘rlogin’ cluster. Other clusters include xlogin, alogin, axlogin, and zylogin. Some clusters are relatively large, counting “thousands” of assimilated devices. Others are smaller, counting as little as two infections.
Mnemonic keys and seed phrases
The researchers don’t know the reason for such a small number on some of these clusters, and speculate that they still might be in an experimental phase, and that their numbers might mushroom once they’re ready to be deployed.
The goal of the campaign is also a mystery, but its most likely use case is for distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.
Besides expanding, the botnet also improved in terms of communications and obfuscation. Apparently, it is a lot better when it comes to evading detection, as well as operational effectiveness.
The best way to defend against this type of botnets is to always keep the firmware and software of the devices up to date. If an endpoint is older and no longer supported by the OEM, replacing it with a newer model is the best way to go.
Via BleepingComputer