Quad7 Botnet

Cybersecurity specialists have identified a Chinese threat actor, known as Storm-0940, utilizing a botnet named Quad7 to conduct sophisticated and evasive password spray attacks. This botnet also referred to as CovertNetwork-1658, is employed to steal credentials from various Microsoft customers. Operating since at least 2021, Storm-0940 gains initial access by employing password spray and brute-force techniques or by targeting vulnerabilities and misconfigurations in network edge applications and services.

Attackers Target Numerous Vulnerable Devices

Storm-0940 is recognized for its focus on organizations across North America and Europe, including think tanks, governmental bodies, NGOs, law firms, and sectors within the defense industry.

The Quad7 botnet, also called 7777 or xlogin, has been thoroughly studied by researchers. This malware has shown a particular focus on SOHO routers and VPN devices from several well-known brands, such as TP-Link, Zyxel, Asus, Axentra, D-Link and NETGEAR.

These devices are compromised by taking advantage of both identified and potentially unknown security vulnerabilities to achieve remote code execution. The botnet's name, Quad7, stems from the fact that the infected routers include a backdoor that listens on TCP port 7777, enabling remote access.

Tactics Displayed by the Quad & Attackers

As of September 2024, the botnet appears to be primarily deployed for brute-force attacks on Microsoft 365 accounts, with indications that Chinese state-sponsored actors are likely behind these operations.

Microsoft's assessment suggests that the botnet's operators are based in China, where several threat actors utilize it for password spray attacks to enable further network exploitation. These follow-up activities include lateral movement, Remote Access Trojan (RAT) deployment and data exfiltration efforts.

Storm-0940 is among those exploiting this method. It gained access to target organizations by using valid credentials obtained through these attacks—often on the same day the credentials were compromised. This rapid transition to targeted exploitation points to a high level of coordination between the botnet operators and Storm-0940.

Meanwhile, CovertNetwork-1658 employs a more restrained approach, with a small number of login attempts distributed across multiple accounts at a targeted organization. In roughly 80% of cases, activity is limited to a single sign-in attempt per account each day.

Thousands of Devices Compromised by Quad7

An estimated 8,000 compromised devices are believed to be active within the network at any given moment, with only about 20 percent of these devices participating in password-spraying attacks.

Experts have observed a significant decline in the botnet infrastructure following its public exposure, suggesting that threat actors may be seeking new infrastructure with altered fingerprints to avoid detection.

Utilizing the CovertNetwork-1658 infrastructure enables any threat actor to launch password-spraying campaigns on a much larger scale, significantly enhancing the chances of successfully compromising credentials and gaining initial access to numerous organizations in a short period.

This extensive reach, coupled with the rapid turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, raises the risk of account compromises across various sectors and regions.

Experts who have noted the slowdown in botnet activity indicate that traffic still shows Quad7 remains operational. However, it's essential to recognize that this marked decrease in compromised routers only reflects visible breaches. There is a possibility that Quad7 operators have developed methods to compromise devices discreetly and avoid detection.