Campaigns
Quad7 Botnet: A Stealth Network for Credential Theft and Router Exploitation

Quad7 Botnet: A Stealth Network for Credential Theft and Router Exploitation

Quad7BotnetRouterExploitationBotnet7777EndpointProtection
The Quad7 botnet is a covert network targeting routers to steal credentials and spread malware, leveraging the distinctive "7777" signature as its mark. By exploiting weakly configured routers, it maintains a persistent presence in networks, evading detection while siphoning sensitive data. This campaign highlights the critical need for strengthened network security, especially around router defenses, to counteract the risks posed by this adaptive and stealthy botnet.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1003-OS Credential Dumping


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Access

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [31] [32] [33] Note: Domain controllers may not log replication requests originating from the default domain controller account. [34]. Monitor for replication requests [35] from IPs not associated with known domain controllers. [21]

Analytic 1 - Suspicious Replication Requests

sourcetype=WinEventLog:Security EventCode="4662" AND AccessMask= "0x100" AND (guid= "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "9923a32a-3607-11d2-b9be-0000f87a36b2" OR guid= "89e95b76-444d-4c62-991a-0facbeda640c")

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to dump credentials using tools like Mimikatz, ProcDump, NTDSUtil, or accessing /proc, /etc/passwd, and /etc/shadow.

Analytic 1 - Suspicious command execution involving credential dumping tools.(index=security sourcetype="WinEventLog:Security" EventCode=4688 Image IN ("mimikatz.exe", "procdump.exe", "ntdsutil.exe", "powershell.exe") CommandLine IN ("Invoke-Mimikatz", "Invoke-CachedCredentials", "Invoke-LSADump", "Invoke-SAMDump"))OR(index=security sourcetype="linux_secure" Command IN ("cat /etc/passwd", "cat /etc/shadow", "grep -E '^[0-9a-f-] r' /proc//maps"))OR(index=security sourcetype="macOS:UnifiedLog" process IN ("cat", "grep") message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd"))

DS0022

File

File Access

Monitor file accesses that may indicate attempts to dump credential data from various storage locations such as LSASS memory, SAM, NTDS.dit, LSA secrets, cached domain credentials, proc filesystem, /etc/passwd, and /etc/shadow.

Analytic 1 - Unauthorized access to credential storage files.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="auditd" (key="path" (value IN ("/etc/passwd", "/etc/shadow")) OR key="proctitle" value IN ("cat", "strings", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more")))OR(index=security sourcetype="macOS:UnifiedLog" (process IN ("cat", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more") OR message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd")))



File Creation

Monitor for the unexpected creation of memory dump files for processes that may contain credentials.

Analytic 1 - Unexpected memory dump file creation.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("lsass.dmp", "\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")))OR (index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/*", "/private/etc/master.passwd"))

DS0029

Network Traffic

Network Traffic Content

Monitor for network protocols [31] [36] and other replication requests [35] from IPs not associated with known domain controllers. [21]

Analytic 1 - Anomalous network traffic content related to credential managers

index=network sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip]| eval SourceIP = src_ip, DestinationIP = dest_ip, Protocol = proto| search (content="LDAPSearchRequest") OR (content="LDAPModifyRequest") OR (content="bindRequest") OR (content="searchResEntry") OR (content="NTDS.dit")



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Analytic 1 - Unusual network communication patterns.

index=network sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip]

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.



Process Access

Monitor for unexpected processes interacting with lsass.exe.[37] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

Analytic 1 - Unauthorized access to credential managers.

(index=security sourcetype="WinEventLog:Security" EventCode=10 TargetImage="lsass.exe" SourceImage IN ("mimikatz.exe", "procdump.exe"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")) (key="cmdline" value IN ("mimikatz", "procdump")))OR(index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/", "/private/etc/master.passwd") process IN ("mimikatz", "procdump"))



Process Creation

Monitor for newly executed processes that may be indicative of credential dumping.

Analytic 1 - Unexpected process creation related to credential dumping.

(index=security sourcetype="WinEventLog:Security" EventCode=4688 Image="procdump.exe" CommandLine IN (" -ma lsass"))OR (index=security sourcetype="linux_secure" (key="cmdline" value IN ("procdump -ma /proc/$(pgrep lsass)")) (key="exe" value="procdump"))OR(index=security sourcetype="macOS:UnifiedLog" process="procdump" command=" -ma /proc/$(pgrep lsass)")

DS0024

Windows Registry

Windows Registry Key Access

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.

Analytic 1 - Unauthorized registry access to SAM key.

index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="*\SAM" | where ProcessName IN ("mimikatz.exe", "procdump.exe", "reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe")


T1090-Proxy


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1219-Remote Access Software


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

Process Creation

Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions.


T1041-Exfiltration Over C2 Channel


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel.

DS0022

File

File Access

Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Observed Countries250

AD (229)
AE (326)
AF (939)
AG (113)
AI (703)
AL (838)
AM (310)
AO (992)
AQ (500)
AR (50)
AS (657)
AT (852)
AU (399)
AW (476)
AX (292)
AZ (87)
BA (227)
BB (665)
BD (960)
BE (533)
BF (33)
BG (333)
BH (369)
BI (340)
BJ (223)
BL (413)
BM (456)
BN (349)
BO (416)
BQ (521)
BR (392)
BS (547)
BT (287)
BV (965)
BW (296)
BY (791)
BZ (690)
CA (423)
CC (784)
CD (295)
CF (35)
CG (503)
CH (863)
CI (141)
CK (173)
CL (836)
CM (441)
CN (814)
CO (154)
CR (250)
CU (908)
CV (325)
CW (289)
CX (208)
CY (667)
CZ (622)
DE (36)
DJ (245)
DK (471)
DM (703)
DO (132)
DZ (490)
EC (201)
EE (726)
EG (529)
EH (629)
ER (657)
ES (558)
ET (391)
FI (768)
FJ (373)
FK (556)
FM (12)
FO (813)
FR (64)
GA (455)
GB (370)
GD (215)
GE (665)
GF (796)
GG (243)
GH (833)
GI (32)
GL (816)
GM (936)
GN (686)
GP (426)
GQ (825)
GR (727)
GS (138)
GT (67)
GU (145)
GW (227)
GY (147)
HK (317)
HM (68)
HN (314)
HR (99)
HT (708)
HU (71)
ID (897)
IE (231)
IL (412)
IM (976)
IN (912)
IO (285)
IQ (296)
IR (957)
IS (607)
IT (467)
JE (615)
JM (474)
JO (573)
JP (27)
KE (90)
KG (50)
KH (19)
KI (572)
KM (486)
KN (653)
KP (528)
KR (935)
KW (397)
KY (784)
KZ (161)
LA (321)
LB (59)
LC (305)
LI (882)
LK (865)
LR (780)
LS (48)
LT (354)
LU (658)
LV (943)
LY (421)
MA (823)
MC (370)
MD (497)
ME (674)
MF (407)
MG (60)
MH (536)
MK (269)
ML (38)
MM (37)
MN (196)
MO (190)
MP (105)
MQ (792)
MR (808)
MS (146)
MT (166)
MU (674)
MV (629)
MW (892)
MX (368)
MY (578)
MZ (966)
NA (210)
NC (182)
NE (735)
NF (71)
NG (502)
NI (90)
NL (157)
NO (803)
NP (374)
NR (132)
NU (14)
NZ (546)
OM (708)
PA (421)
PE (261)
PF (400)
PG (646)
PH (551)
PK (451)
PL (595)
PM (897)
PN (630)
PR (5)
PS (519)
PT (403)
PW (509)
PY (807)
QA (948)
RE (484)
RO (694)
RS (522)
RU (828)
RW (43)
SA (905)
SB (744)
SC (78)
SD (865)
SE (713)
SG (344)
SH (792)
SI (752)
SJ (350)
SK (601)
SL (106)
SM (550)
SN (22)
SO (249)
SR (811)
SS (535)
ST (402)
SV (155)
SX (857)
SY (987)
SZ (882)
TC (921)
TD (947)
TF (393)
TG (412)
TH (627)
TJ (582)
TK (532)
TL (77)
TM (499)
TN (266)
TO (489)
TR (647)
TT (164)
TV (307)
TW (796)
TZ (77)
UA (189)
UG (481)
UM (541)
US (289)
UY (81)
UZ (471)
VA (177)
VC (278)
VE (749)
VG (454)
VI (366)
VN (741)
VU (575)
WF (695)
WS (190)
XK (564)
YE (278)
YT (572)
ZA (536)
ZM (944)
ZW (801)