Chinese threat actors use Quad7 botnet in password-spray attacks

Microsoft warns Chinese threat actors are using the Quad7 botnet to carry out password-spray attacks and steal credentials.

Chinese threat actors use the Quad7 botnet in password-spray attacks to steal credentials, Microsoft warns.

Quad7 botnet, also known as CovertNetwork-1658 or xlogin, was first spotted in the summer of 2023 by security researcher Gi7w0rm.

In September 2024, the Sekoia TDR team reported it had identified additional implants associated with the Quad7 botnet operation. The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities.

The operators maintain the botnet to launch distributed brute-force attacks on VPNs, Telnet, SSH, and Microsoft 365 accounts.

Recently Sekoia published a new report on the Quad7 botnet (aka 7777 botnet, xlogin botnet) following the discovery of several staging servers, leading the experts to discover new targets, implants and botnet clusters associated with this threat actor. 

The experts identified five distinct login clusters (alogin, xlogin, axlogin, rlogin, and zylogin) associated with these botnet operators. Some of these clusters specifically target Axentra media servers, Ruckus wireless routers and Zyxel VPN appliances.

The Quad7 botnet is primarily composed of compromised TP-Link routers, with open ports for administration and proxy purposes. These routers are used to relay brute-force attacks on Microsoft 365 accounts. Similar botnets, like alogin and rlogin, target other devices, including Asus routers (alogin) and Ruckus Wireless devices (rlogin), each with distinct open ports for administration and proxy functions. The experts noticed that while alogin and xlogin have thousands of compromised devices, rlogin has only 213. Other variants like axlogin and zylogin target Axentra NAS and Zyxel VPNs respectively, but they are smaller and less observed.

Microsoft now states that Chinese threat actors, including Storm-0940, are using credentials obtained from CovertNetwork-1658 via password-spray attacks. Active since 2021, Storm-0940 gains access through password spraying, brute-force attacks, and exploiting network edge services, targeting sectors like government, law, defense, and NGOs in North America and Europe. Microsoft has notified affected customers and shared details on CovertNetwork-1658, Storm-0940 tactics, and recommended mitigations to help secure affected environments.

“Microsoft assesses that a threat actor located in China established and maintains this network. The threat actor exploits a vulnerability in the routers to gain remote code execution capability. We continue to investigate the specific exploit by which this threat actor compromises these routers.” reads the report published by Microsoft. “Microsoft assesses that multiple Chinese threat actors use the credentials acquired from CovertNetwork-1658 password spray operations to perform computer network exploitation (CNE) activities.”

Microsoft noticed that password spray campaigns that were carried out through CovertNetwork-1658 infrastructure submitted a very small number of sign-in attempts to many accounts at a target organization. In the majority of the campaigns, about 80 percent, CovertNetwork-1658 makes only one sign-in attempt per account per day.

Quad7 botnet

CovertNetwork-1658 is challenging to track due to its use of compromised SOHO IPs, a rotating pool of thousands of IP addresses (with nodes active for around 90 days), and low-volume password sprays, which avoid typical detection based on multiple failed sign-ins.

“Microsoft assesses that CovertNetwork-1658 has not stopped operations as indicated in recent activity but is likely acquiring new infrastructure with modified fingerprints from what has been publicly disclosed. An observed increase in recent activity may be early evidence supporting this assessment.” continues the report.

Quad7 botnet

Once attackers gained access to a victim’s environment, Storm-0940 has been observed using scanning and credential dumping tools for lateral movement, accessing network devices to install proxy tools and RATs for persistence, and attempting data exfiltration.

“Organizations can defend against password spraying by building credential hygiene and hardening cloud identities.” concludes Microsoft.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Quad7 botnet)