TLDR: Quad7 botnet operators have been compromising several routers and VPN appliances, targeting brands such as TP-Link, Zyxel, Asus, and others. They are using various techniques, including password-spraying and backdoors to conduct attacks on Microsoft 365 accounts. The operators are evolving their methods to include encrypted communication and HTTP reverse shells, making detection and attribution more challenging.
The Quad7 botnet, also known as the 7777 botnet, has caught the attention of researchers for its use of compromised TP-Link routers to target Microsoft 365 accounts using password-spraying techniques. Security analysts have identified five distinct *login clusters targeting different router brands, including TP-LINK, Zyxel, Asus, Axentra, D-Link, and Netgear.
The operators of the Quad7 botnet have been utilizing TCP ports for various purposes, such as root-privileged bind shells and SOCKS5 proxies for brute-force attacks. They are also testing new methods, such as the FsyNet project, which uses encrypted communication over UDP for low-latency communication.
The evolution of the Quad7 botnet from open SOCKS proxies to encrypted, reverse-shell architectures showcases the threat actors’ adaptation towards stealthier and more robust attack infrastructure. By using techniques like HTTP reverse shells and secure protocols, the operators are making detection and attribution more challenging for security experts.
Overall, the Quad7 botnet operators are actively compromising routers and VPN appliances, constantly evolving their tactics and techniques to conduct sophisticated attacks on a wide range of devices and networks.