Description
The report provides insights into the evolving tactics and infrastructure of a threat group referred to as the 'Quad7 botnet operators.' It details the discovery of new staging servers, implants, and botnet clusters associated with this group. The operators appear to be compromising various router and VPN appliance brands, introducing new backdoors, and exploring alternative protocols to enhance stealth and evade tracking efforts. Without adequate interception capabilities, monitoring the Quad7 botnets' evolution may become increasingly challenging in the future.
Date
| Published | Created | Modified |
|---|---|---|
| Sept. 10, 2024, 8:07 a.m. | Sept. 10, 2024, 8:07 a.m. | Sept. 10, 2024, 8:23 a.m. |
Indicators
ff17e9bcc1ed16985713405b95745e47674ec98e3c6c889df797600718a35b2c
158.247.194.125
103.57.248.202
103.140.239.63
45.77.44.119
151.236.20.30
http://45.77.44.119:80
http://158.247.194.125:80
http://151.236.20.30:80
http://103.57.248.202:81
http://103.140.239.63:80
Attack Patterns
zylogin
rlogin
axlogin
alogin
NetDuke
HammerDuke
HAMMERTOSS - S0037
FsyNet
UPDTAE
xlogin
Quad7 botnet operators
T1594
T1207
T1043
T1021.004
T1587
T1608
T1583
T1213
T1189
T1505
T1573
T1518
T1105
T1071
T1595
T1543
T1190
T1133
T1090