Botnet 7777: Are You Betting on a Compromised Router?
Aug. 8, 2024, 11:38 a.m.
Tags
External References
Description
This analysis uncovers the expansion of a significant botnet operation, dubbed Quad7 or 7777 botnet, characterized by its unique use of TCP port 7777 on compromised routers, primarily TP-Link and Hikvision devices. The research reveals a potential second tranche of bots, the 63256 botnet, comprised mainly of infected ASUS routers, indicating an evolution of the threat actor's tactics. Over a 30-day period, 12,783 active bots were identified across both infrastructures, highlighting the botnet's substantial scale. The analysis also pinpoints seven management IP addresses associated with the botnet's operations, some previously undisclosed. The findings underscore the resilience and adaptability of this persistent threat, warranting continued vigilance and collaborative efforts to mitigate its impact.
Date
Published: Aug. 8, 2024, 11:30 a.m.
Created: Aug. 8, 2024, 11:30 a.m.
Modified: Aug. 8, 2024, 11:38 a.m.
Indicators
104.168.152.139
23.254.209.118
23.227.196.73
142.11.205.164
23.254.201.175
151.236.20.211
151.236.20.185
Attack Patterns
T1021.004
T1089
T1505
T1071.001
T1518.001
T1543.004
T1529
T1518
T1046
T1592
T1499
T1027
T1190
T1133
T1090
T1059