A glimpse into the next moves and associated botnets

Sept. 10, 2024, 8:23 a.m.

Description

The report provides insights into the evolving tactics and infrastructure of a threat group referred to as the 'Quad7 botnet operators.' It details the discovery of new staging servers, implants, and botnet clusters associated with this group. The operators appear to be compromising various router and VPN appliance brands, introducing new backdoors, and exploring alternative protocols to enhance stealth and evade tracking efforts. Without adequate interception capabilities, monitoring the Quad7 botnets' evolution may become increasingly challenging in the future.

External References

https://blog.sekoia.io/a-glimpse-into-the-quad7-operators-next-moves-and-associated-botnets/
https://otx.alienvault.com/pulse/66dffe354fbbc07e149a2c1d
Tags
evasion
backdoors
xlogin
botnets
routers
2024-09-10
hammertoss
axlogin
fsynet
hammerduke
stealth
alogin
updtae
zylogin
netduke
rlogin

Date

  • Created: Sept. 10, 2024, 8:07 a.m.
  • Published: Sept. 10, 2024, 8:07 a.m.
  • Modified: Sept. 10, 2024, 8:23 a.m.

Indicators

  • ff17e9bcc1ed16985713405b95745e47674ec98e3c6c889df797600718a35b2c
  • 158.247.194.125
  • 103.57.248.202
  • 103.140.239.63
  • 45.77.44.119
  • 151.236.20.30
  • http://45.77.44.119:80
  • http://158.247.194.125:80
  • http://151.236.20.30:80
  • http://103.57.248.202:81
  • http://103.140.239.63:80
Download all indicators here!

Attack Patterns

  • zylogin
  • rlogin
  • axlogin
  • alogin
  • NetDuke
  • HammerDuke
  • HAMMERTOSS - S0037
  • FsyNet
  • UPDTAE
  • xlogin
  • Quad7 botnet operators