Microsoft has uncovered a significant cyber threat involving a Chinese botnet known as Quad7. The botnet is reportedly targeting organizations worldwide with sophisticated password spray attacks.
This botnet, operated by a group identified as Storm-0940, aims to breach networks and steal credentials, paving the way for further intrusive and potentially disruptive cyber activities.
According to Microsoft, this campaign’s main objective appears to be espionage, as the targets include high-value entities such as think tanks, government bodies, NGOs, law firms, and defense industries.
Strategic and stealthy infiltrations
Storm-0940’s method of attack is calculated and challenging to detect. Through a sub-group known as CovertNetwork-1658, the botnet submits minimal login attempts to various accounts within a target organization, ensuring it remains under the radar.
Microsoft’s report indicates that in around 80 percent of cases, CovertNetwork-1658 makes only a single login attempt per account daily, a strategy designed to evade traditional security monitoring systems.
Once the attackers manage to breach an account, the follow-up is swift. Microsoft revealed that, in some cases, further compromises were initiated on the same day the password was successfully guessed. After gaining access, the attackers’ initial actions include extracting additional credentials and deploying remote access tools (RATs) and proxies to maintain their foothold within the network.
Expanding target surface and malware clusters
Quad7 is a familiar threat. It gained significant attention in September 2024 when it began exhibiting new features and expanding its range of targets. Initially spotted by a researcher known as Gi7w0rm and analyzed by Sekoia experts, the botnet was first seen focusing on TP-Link routers.
However, it rapidly evolved to target other devices, such as ASUS routers and expanded further to compromise Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers.
The attackers have developed tailored malware to breach these devices, creating unique clusters of infections for different targets. Each cluster employs a variant of a login method tailored for specific devices; for example, the cluster designed for Ruckus devices is termed ‘login,’ while others include ‘login,’ ‘login,’ ‘a login,’ and ‘login.’ The scale of these clusters varies significantly, with some encompassing thousands of infected devices, while others may involve as few as two.
Broader implications and security concerns
The discovery of Quad7’s expanded operations underlines the growing complexity of global cyber threats. Using SOHO (small office/home office) routers as entry points suggests a tactic shift, with attackers exploiting weaker endpoints to bypass traditional enterprise security defenses. Storm-0940 and its affiliates are demonstrating an advanced level of cyber sophistication by customizing their malware and deploying covert login attempts.
Microsoft’s findings emphasize the importance of robust security measures and continuous monitoring for organizations worldwide.
While Quad7’s reach and impact continue to grow, cybersecurity experts urge organizations to strengthen their defenses, particularly in protecting routers and network endpoints that could serve as gateways for such attacks.