The operators of the Quad7 botnet have been busy, adding new features and expanding their attack surface, according to several security researchers who have been following the malware's recent evolution.
Quad7 was first spotted by a researcher alias Gi7w0rm and experts at Sekoia, when it was only observed attacking TP-Link routers. However, over the following weeks, Quad7 (which was so named for attacking port 7777) expanded to ASUS routers and has now been observed on Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.
To compromise these endpoints, custom malware was written, the researchers explained. For different types of devices, the botnet has different clusters. Each cluster is a variant of *login, they explained, and Ruckus, for example, has the 'rlogin' cluster. Other clusters include xlogin, alogin, axlogin and zylogin. Some clusters are relatively large, with “thousands” of compromised devices. Others are smaller, with as few as two infections.
Mnemonic keys and seed phrases
Researchers don't know why there are such small numbers in some of these groups, and speculate that they may still be in an experimental phase and that their numbers could increase once they are ready to be implemented.
The campaign's target is also a mystery, but its most likely use case is distributed brute force attacks on VPN, Telnet, SSH, and Microsoft 365 accounts.
In addition to expanding, the botnet has also improved in terms of communication and obfuscation. It is apparently much better at evading detection, as well as operational effectiveness.
The best way to defend against these types of botnets is to always keep the firmware and software on your devices up to date. If an endpoint is older and no longer supported by the OEM, it is best to replace it with a newer model.
Through Computer beeping
